Update GitHub Actions workflows. (#878 )

This PR was triggered by @t0yv0 generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit [b888a93605aab0d973777521a03763e13948d127](b888a93605). Co-authored-by: Pulumi Bot <bot@pulumi.com>
Update pulumi/auth-actions action to v2 (#877 )
2026-05-30 06:35:12 +00:00 · 2026-05-30 05:42:52 +00:00 · 2026-05-28 21:30:23 +00:00 · 2026-05-28 06:57:07 +00:00 · 2026-05-28 00:35:07 +00:00 · 2026-05-27 09:38:27 -04:00
127 changed files with 8487 additions and 6585 deletions
--- a/.ci-mgmt.yaml
+++ b/.ci-mgmt.yaml
@@ -9,21 +9,12 @@ gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
 esc:
-    enabled: true
+  enabled: true
 envOverride:
-    AWS_REGION: us-west-2
-    PULUMI_API: "https://api.pulumi-staging.io"
-    ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-    ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-    ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-    AZURE_LOCATION: westus
-    DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-    GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-    GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-    GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-    GOOGLE_PROJECT: pulumi-ci-gcp-provider
-    GOOGLE_PROJECT_NUMBER: 895284651812
-    GOOGLE_REGION: us-central1
-    GOOGLE_ZONE: us-central1-a
-    DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
--- a/.config/mise.lock
+++ b/.config/mise.lock
@@ -1,45 +0,0 @@
-[[tools.dotnet]]
-version = "8.0.414"
-backend = "asdf:dotnet"
-
-[[tools."github:pulumi/pulumictl"]]
-version = "0.0.50"
-backend = "github:pulumi/pulumictl"
-
-[tools."github:pulumi/pulumictl".platforms.linux-x64]
-checksum = "blake3:c128dd74993f779c613296fe7cd21c20cbd323f24e59cb76e007620660b60348"
-size = 27744219
-url = "https://github.com/pulumi/pulumictl/releases/download/v0.0.50/pulumictl-v0.0.50-linux-amd64.tar.gz"
-
-[[tools."github:pulumi/schema-tools"]]
-version = "0.6.0"
-backend = "github:pulumi/schema-tools"
-
-[tools."github:pulumi/schema-tools".platforms.linux-x64]
-checksum = "blake3:82dfe616fee18b4258f6e3d2dc3c4e9f14afd43a0a4cc33eff2d2a04088d6ca3"
-size = 14282746
-url = "https://github.com/pulumi/schema-tools/releases/download/v0.6.0/schema-tools-v0.6.0-linux-amd64.tar.gz"
-
-[[tools.go]]
-version = "1.21.13"
-backend = "core:go"
-
-[[tools.gradle]]
-version = "7.6.6"
-backend = "aqua:gradle/gradle"
-
-[[tools.java]]
-version = "corretto-11.0.28.6.1"
-backend = "core:java"
-
-[[tools.node]]
-version = "20.19.5"
-backend = "core:node"
-
-[[tools.pulumi]]
-version = "3.198.0"
-backend = "aqua:pulumi/pulumi"
-
-[[tools.python]]
-version = "3.11.8"
-backend = "core:python"
--- a/.config/mise.test.toml
+++ b/.config/mise.test.toml
@@ -1,7 +1,4 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt

-# Overrides tool versions for test workflows
-
 [tools]
-# always use pulumi latest for tests
-pulumi = "latest"
+"aqua:gotestyourself/gotestsum" = "1.12.0"
--- a/.config/mise.toml
+++ b/.config/mise.toml
@@ -2,25 +2,34 @@
 # You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html

 [env]
-_.source = "{{config_root}}/scripts/get-versions.sh"
+_.vfox-pulumi = { module_path = "." } # Sets GO_VERSION_MISE and PULUMI_VERSION_MISE
+PULUMI_HOME = "{{config_root}}/.pulumi"

 [tools]

 # Runtimes
-# TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed
-go = "{{ get_env(name='MISE_GO_VERSION', default='latest') }}"
-node = '20'
+go = "{{ env.GO_VERSION_MISE }}"
+node = '20.19.5'
 python = '3.11.8'
-dotnet = '8.0'
+"vfox:version-fox/vfox-dotnet" = "8.0.20" # vfox backend doesn't work on Windows, gives "error converting Lua table to PreInstall (no version returned from vfox plugin)" https://github.com/jdx/mise/discussions/5876 https://github.com/jdx/mise/discussions/5550
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'

 # Executable tools
-pulumi = "{{ get_env(name='MISE_PULUMI_VERSION', default='latest') }}"
-"github:pulumi/pulumictl" = 'latest'
-"github:pulumi/schema-tools" = "latest"
-gradle = '7.6'
+"github:pulumi/pulumi" = "{{ env.PULUMI_VERSION_MISE }}"
+"github:pulumi/pulumictl" = '0.0.50'
+"github:pulumi/schema-tools" = "0.6.0"
+"go:github.com/pulumi/upgrade-provider" = "main"
+"aqua:gradle/gradle-distributions" = '7.6.6'
+golangci-lint = "2.9.0" # See note about about overrides if you need to customize this.
+"npm:yarn" = "1.22.22"

 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
-lockfile = true
+lockfile = false
+http_retries = 3
+pin = true # `mise use` should pin versions instead of defaulting to latest.
+fetch_remote_versions_cache = "24h" # Mise queries versions even if they're pinned to confirm they exist. Reduce GitHub API calls by doing that less often.
+
+[plugins]
+vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,2 @@
 sdk/**/* linguist-generated=true
-provider/internal/mock*.go linguist-generated=true
+.github/workflows/*.lock.yml linguist-generated=true merge=ours
--- a/.github/actions/download-provider/action.yml
+++ b/.github/actions/download-provider/action.yml
@@ -0,0 +1,19 @@
+name: Download Provider Binary
+description: Downloads the provider binary artifact and restores executable permissions
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download provider
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+
+    - name: UnTar provider binaries
+      shell: bash
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
+
+    - name: Restore Binary Permissions
+      shell: bash
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
--- a/.github/actions/download-sdk/action.yml
+++ b/.github/actions/download-sdk/action.yml
@@ -0,0 +1,20 @@
+name: Download SDK
+description: Downloads and extracts SDK artifacts for a specific language
+
+inputs:
+  language:
+    description: 'The SDK language to download (nodejs, python, dotnet, java)'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: ${{ inputs.language }}-sdk.tar.gz
+        path: ${{ github.workspace }}/sdk/
+
+    - name: UnTar SDK folder
+      shell: bash
+      run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ inputs.language }}
--- a/.github/actions/setup-tools/action.yml
+++ b/.github/actions/setup-tools/action.yml
@@ -0,0 +1,41 @@
+name: Setup Tools
+description: Installs all tools (Go, Node, Python, .NET, Java, Pulumi, etc.) using mise
+
+inputs:
+  cache:
+    description: Enable caching
+    required: false
+    default: "false"
+  github_token:
+    description: GitHub token
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup mise
+      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+      with:
+        version: 2026.3.7
+        cache_save: ${{ inputs.cache }}
+        github_token: ${{ inputs.github_token }}
+
+    - name: Setup Go Cache
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      with:
+        cache: ${{ inputs.cache }}
+        cache-dependency-path: |
+          provider/*.sum
+          upstream/*.sum
+          sdk/go/*.sum
+          sdk/*.sum
+          *.sum
+
+    - name: Setup Node
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      with:
+        # we don't set node-version because we install with mise.
+        # this step is needed to setup npm auth
+        registry-url: https://registry.npmjs.org
--- a/.github/agents/agentic-workflows.agent.md
+++ b/.github/agents/agentic-workflows.agent.md
@@ -0,0 +1,177 @@
+---
+description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing
+disable-model-invocation: true
+---
+
+# GitHub Agentic Workflows Agent
+
+This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files.
+
+## What This Agent Does
+
+This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task:
+
+- **Creating new workflows**: Routes to `create` prompt
+- **Updating existing workflows**: Routes to `update` prompt
+- **Debugging workflows**: Routes to `debug` prompt  
+- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt
+- **Creating report-generating workflows**: Routes to `report` prompt — consult this whenever the workflow posts status updates, audits, analyses, or any structured output as issues, discussions, or comments
+- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
+- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
+- **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
+
+Workflows may optionally include:
+
+- **Project tracking / monitoring** (GitHub Projects updates, status reporting)
+- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows)
+
+## Files This Applies To
+
+- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
+- Workflow lock files: `.github/workflows/*.lock.yml`
+- Shared components: `.github/workflows/shared/*.md`
+- Configuration: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/github-agentic-workflows.md
+
+## Problems This Solves
+
+- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions
+- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues
+- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes
+- **Component Design**: Create reusable shared workflow components that wrap MCP servers
+
+## How to Use
+
+When you interact with this agent, it will:
+
+1. **Understand your intent** - Determine what kind of task you're trying to accomplish
+2. **Route to the right prompt** - Load the specialized prompt file for your task
+3. **Execute the task** - Follow the detailed instructions in the loaded prompt
+
+## Available Prompts
+
+### Create New Workflow
+**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/create-agentic-workflow.md
+
+**Use cases**:
+- "Create a workflow that triages issues"
+- "I need a workflow to label pull requests"
+- "Design a weekly research automation"
+
+### Update Existing Workflow  
+**Load when**: User wants to modify, improve, or refactor an existing workflow
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/update-agentic-workflow.md
+
+**Use cases**:
+- "Add web-fetch tool to the issue-classifier workflow"
+- "Update the PR reviewer to use discussions instead of issues"
+- "Improve the prompt for the weekly-research workflow"
+
+### Debug Workflow  
+**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/debug-agentic-workflow.md
+
+**Use cases**:
+- "Why is this workflow failing?"
+- "Analyze the logs for workflow X"
+- "Investigate missing tool calls in run #12345"
+
+### Upgrade Agentic Workflows
+**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/upgrade-agentic-workflows.md
+
+**Use cases**:
+- "Upgrade all workflows to the latest version"
+- "Fix deprecated fields in workflows"
+- "Apply breaking changes from the new release"
+
+### Create a Report-Generating Workflow
+**Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/report.md
+
+**Use cases**:
+- "Create a weekly CI health report"
+- "Post a daily security audit to Discussions"
+- "Add a status update comment to open PRs"
+
+### Create Shared Agentic Workflow
+**Load when**: User wants to create a reusable workflow component or wrap an MCP server
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/create-shared-agentic-workflow.md
+
+**Use cases**:
+- "Create a shared component for Notion integration"
+- "Wrap the Slack MCP server as a reusable component"
+- "Design a shared workflow for database queries"
+
+### Fix Dependabot PRs
+**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/dependabot.md
+
+**Use cases**:
+- "Fix the open Dependabot PRs for npm dependencies"
+- "Bundle and close the Dependabot PRs for workflow dependencies"
+- "Update @playwright/test to fix the Dependabot PR"
+
+### Analyze Test Coverage
+**Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/test-coverage.md
+
+**Use cases**:
+- "Create a workflow that comments coverage on PRs"
+- "Analyze coverage trends over time"
+- "Add a coverage gate that blocks PRs below a threshold"
+
+## Instructions
+
+When a user interacts with you:
+
+1. **Identify the task type** from the user's request
+2. **Load the appropriate prompt** from the GitHub repository URLs listed above
+3. **Follow the loaded prompt's instructions** exactly
+4. **If uncertain**, ask clarifying questions to determine the right prompt
+
+## Quick Reference
+
+```bash
+# Initialize repository for agentic workflows
+gh aw init
+
+# Generate the lock file for a workflow
+gh aw compile [workflow-name]
+
+# Debug workflow runs
+gh aw logs [workflow-name]
+gh aw audit <run-id>
+
+# Upgrade workflows
+gh aw fix --write
+gh aw compile --validate
+```
+
+## Key Features of gh-aw
+
+- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter
+- **AI Engine Support**: Copilot, Claude, Codex, or custom engines
+- **MCP Server Integration**: Connect to Model Context Protocol servers for tools
+- **Safe Outputs**: Structured communication between AI and GitHub API
+- **Strict Mode**: Security-first validation and sandboxing
+- **Shared Components**: Reusable workflow building blocks
+- **Repo Memory**: Persistent git-backed storage for agents
+- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default
+
+## Important Notes
+
+- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/github-agentic-workflows.md for complete documentation
+- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
+- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
+- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
+- Follow security best practices: minimal permissions, explicit network access, no template injection
+- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -0,0 +1,41 @@
+{
+  "entries": {
+    "actions/github-script@v9.0.0": {
+      "repo": "actions/github-script",
+      "version": "v9.0.0",
+      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
+    },
+    "github/gh-aw-actions/setup@v0.76.1": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.76.1",
+      "sha": "46d564922b082d0db93244972e8005ea6904ee5f"
+    },
+    "github/gh-aw/actions/setup@v0.76.1": {
+      "repo": "github/gh-aw/actions/setup",
+      "version": "v0.76.1",
+      "sha": "58d1bedbb7200f59c2d224151339e38fd8687d05"
+    }
+  },
+  "containers": {
+    "ghcr.io/github/gh-aw-firewall/agent:0.25.55": {
+      "image": "ghcr.io/github/gh-aw-firewall/agent:0.25.55",
+      "digest": "sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731",
+      "pinned_image": "ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"
+    },
+    "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55": {
+      "image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55",
+      "digest": "sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3",
+      "pinned_image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"
+    },
+    "ghcr.io/github/gh-aw-firewall/squid:0.25.55": {
+      "image": "ghcr.io/github/gh-aw-firewall/squid:0.25.55",
+      "digest": "sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca",
+      "pinned_image": "ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"
+    },
+    "ghcr.io/github/gh-aw-mcpg:v0.3.19": {
+      "image": "ghcr.io/github/gh-aw-mcpg:v0.3.19",
+      "digest": "sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f",
+      "pinned_image": "ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"
+    }
+  }
+}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,19 +16,12 @@ on:
  workflow_dispatch: {}
 env:
  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -37,6 +30,9 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TF_APPEND_USER_AGENT: pulumi

 jobs:
  prerequisites:
@@ -47,7 +43,7 @@ jobs:
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -59,27 +55,27 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
+        cache: 'true'
+        github_token: ${{ secrets.GITHUB_TOKEN }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
      with:
        repo: pulumi/schema-tools
    - name: Build codegen binaries
@@ -127,78 +123,28 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
-        contains(github.actor, 'renovate') && github.event_name ==
-        'pull_request'
-      shell: bash
-      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
-        git config --global user.email "bot@pulumi.com"
-
-        git config --global user.name "pulumi-bot"
-
-        # Stash local changes and check out the PR's branch directly.
-
-        git stash
-
-        git fetch
-
-        git checkout "origin/$HEAD_REF"
-
-
-        # Apply and add our changes, but don't commit any files we expect to
-
-        # always change due to versioning.
-
-        git stash pop
-
-        git add sdk
-
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
-
-        git commit -m 'Commit SDK for Renovate'
-
-
-        # Push with pulumi-bot credentials to trigger a re-run of the
-
-        # workflow. https://github.com/orgs/community/discussions/25702
-
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
-      env:
-        HEAD_REF: ${{ github.head_ref }}
+          sdk/java/build.gradle
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
@@ -223,7 +169,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -235,58 +181,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
-    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-    - name: UnTar provider binaries
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
-        github.workspace}}/bin
-    - name: Restore Binary Permissions
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
-        -exec chmod +x {} \;
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
@@ -302,66 +215,19 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
-        contains(github.actor, 'renovate') && github.event_name ==
-        'pull_request'
-      shell: bash
-      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
-        git config --global user.email "bot@pulumi.com"
-
-        git config --global user.name "pulumi-bot"
-
-        # Stash local changes and check out the PR's branch directly.
-
-        git stash
-
-        git fetch
-
-        git checkout "origin/$HEAD_REF"
-
-
-        # Apply and add our changes, but don't commit any files we expect to
-
-        # always change due to versioning.
-
-        git stash pop
-
-        git add sdk
-
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
-
-        git commit -m 'Commit SDK for Renovate'
-
-
-        # Push with pulumi-bot credentials to trigger a re-run of the
-
-        # workflow. https://github.com/orgs/community/discussions/25702
-
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
-      env:
-        HEAD_REF: ${{ github.head_ref }}
+          sdk/java/build.gradle
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
        retention-days: 30
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
@@ -378,7 +244,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -423,7 +289,7 @@ jobs:
      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -435,68 +301,30 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
-    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-    - name: UnTar provider binaries
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
-        github.workspace}}/bin
-    - name: Restore Binary Permissions
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
-        -exec chmod +x {} \;
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: ./.github/actions/download-sdk
      with:
-        name: ${{ matrix.language }}-sdk.tar.gz
-        path: ${{ github.workspace}}/sdk/
-    - name: UnTar SDK folder
-      if: ${{ matrix.language != 'yaml' }}
-      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
-        github.workspace}}/sdk/${{ matrix.language}}
+        language: ${{ matrix.language }}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
@@ -517,7 +345,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -548,7 +376,7 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
@@ -564,7 +392,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -576,18 +404,23 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -597,14 +430,8 @@ jobs:
        haskell: true
        swap-storage: true
        large-packages: false
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
@@ -620,15 +447,17 @@ jobs:
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
+        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
+        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
@@ -644,7 +473,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -656,45 +485,31 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download python SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -702,7 +517,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -710,7 +525,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -734,7 +549,7 @@ jobs:
        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
@@ -742,28 +557,6 @@ jobs:
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  lint:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Disarm go:embed directives to enable linters that compile source code
-      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
-        's/go:embed/ goembed/g'
-    - name: golangci-lint provider pkg
-      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
-      with:
-        version: ${{ env.GOLANGCI_LINT_VERSION }}
-        args: -c ../.golangci.yml
-        working-directory: provider
    name: lint
-    if: github.event_name == 'repository_dispatch' ||
-      github.event.pull_request.head.repo.full_name == github.repository
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,139 @@
+name: Claude Code
+
+on:
+  # Responds to @claude mentions in comments.
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
+    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
+    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
+    if: |
+      (github.event_name == 'issue_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' &&
+        contains(github.event.review.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
+      (github.event_name == 'issues' &&
+        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read
+    steps:
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+      - name: Checkout PR head (if applicable)
+        if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+        run: gh pr checkout "$PR_NUMBER"
+      - name: Setup mise
+        uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
+        env:
+          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+        with:
+          version: 2026.3.7
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          # only saving the cache in the prerequisites job
+          cache_save: false
+      - name: Set git identity
+        run: |-
+          git config --global user.name "claude[bot]"
+          git config --global user.email "bot@pulumi.com"
+        shell: bash
+      - name: Prepare local workspace
+        # this runs install_plugins and upstream
+        run: make prepare_local_workspace
+      - name: Run Claude Code Review
+        # Comment must contain '@claude review'
+        if: |
+          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
+          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
+          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
+        id: claude-review
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
+        with:
+          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+
+            Review this pull request using the provider-code-review skill for guidelines.
+            The PR branch is already checked out in the current working directory.
+
+            Use `gh pr comment` for top-level feedback.
+            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
+            Only post GitHub comments - don't submit review text as messages.
+          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
+          claude_args: |
+            --allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
+      - name: Run Claude Code
+        # Comment must contain '@claude', but not '@claude review'
+        if: |
+          !contains(github.event.comment.body, '@claude review') &&
+          !contains(github.event.review.body, '@claude review')
+        id: claude-action
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
+        with:
+          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+          # This allows claude to read github action logs
+          additional_permissions: |
+            actions: read
+          # Sandbox settings: --allowedTools controls which tools Claude can invoke,
+          # but the sandbox also enforces OS-level filesystem restrictions. Edit()
+          # rules in permissions.allow control all bash filesystem writes (mkdir,
+          # output redirection, etc.), not just the Edit tool. Without these, commands
+          # like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
+          settings: |
+            {
+              "permissions": {
+                "allow": ["Edit(./**)", "Edit(/tmp/**)"]
+              }
+            }
+          claude_args: |
+            --max-turns 50
+            --allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go mod tidy *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
+        # If the claude action fails you don't get any logs on what claude was doing
+        # Uploading the artifact allows you to download the artifact from the UI
+      - name: Upload Claude review output on failure
+        if: failure() && steps.claude-review.outputs.execution_file
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: claude-review-execution-log
+          path: ${{ steps.claude-review.outputs.execution_file }}
+          retention-days: 7
+      - name: Upload Claude output on failure
+        if: failure() && steps.claude-action.outputs.execution_file
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: claude-execution-log
+          path: ${{ steps.claude-action.outputs.execution_file }}
+          retention-days: 7
--- a/.github/workflows/command-dispatch.yml
+++ b/.github/workflows/command-dispatch.yml
@@ -1,11 +1,6 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt

 env:
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -14,6 +9,10 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi

 jobs:
  command-dispatch-for-testing:
@@ -24,7 +23,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false    
    - env:
@@ -36,7 +35,7 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
+    - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5
      with:
        commands: |
          run-acceptance-tests
--- a/.github/workflows/comment-on-stale-issues.yml
+++ b/.github/workflows/comment-on-stale-issues.yml
@@ -1,6 +1,8 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 name: "Comment on stale issues"

 on:
+  workflow_dispatch: {}
  schedule:
  - cron: "46 4 * * *" # run once per day

@@ -9,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Stale issue job
    steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0
+    - uses: pose/stale-issue-cleanup@d2922f61fc5669f4154408689f9bb2a981996112
      with:
        issue-types: issues # only look at issues (ignore pull-requests)

--- a/.github/workflows/community-moderation.yml
+++ b/.github/workflows/community-moderation.yml
@@ -6,18 +6,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false
    - id: schema_changed
      name: Check for diff in schema
-      uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
      with:
        filters: "changed: 'provider/cmd/**/schema.json'"
    - id: sdk_changed
      if: steps.schema_changed.outputs.changed == 'false'
      name: Check for diff in sdk/**
-      uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
      with:
        filters: "changed: 'sdk/**'"
    - if: steps.sdk_changed.outputs.changed == 'true' &&
--- a/.github/workflows/export-repo-secrets.yml
+++ b/.github/workflows/export-repo-secrets.yml
@@ -8,7 +8,7 @@ jobs:
    steps:
      - name: Generate a GitHub token
        id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
        with:
          app-id: 1256780 # Export Secrets GitHub App
          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
--- a/.github/workflows/gh-aw-pr-rereview.lock.yml
+++ b/.github/workflows/gh-aw-pr-rereview.lock.yml
--- a/.github/workflows/gh-aw-pr-rereview.md
+++ b/.github/workflows/gh-aw-pr-rereview.md
@@ -0,0 +1,20 @@
+---
+on:
+  slash_command:
+    events:
+    - pull_request_comment
+    - pull_request_review_comment
+    name: review-again
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
+imports:
+- shared/review.md
+- shared/plugins/code-review/code-review.md
+description: Run PR re-review on explicit maintainer slash command.
+source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
+strict: true
+timeout-minutes: 15
+---
+# Internal PR Re-Review (Slash Command)
--- a/.github/workflows/gh-aw-pr-review.lock.yml
+++ b/.github/workflows/gh-aw-pr-review.lock.yml
--- a/.github/workflows/gh-aw-pr-review.md
+++ b/.github/workflows/gh-aw-pr-review.md
@@ -0,0 +1,25 @@
+---
+on:
+  pull_request:
+    types:
+    - opened
+    - ready_for_review
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull request number to review
+        required: true
+        type: string
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
+imports:
+- shared/review.md
+- shared/plugins/code-review/code-review.md
+description: Automated PR review for trusted internal contributors.
+source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
+strict: true
+timeout-minutes: 15
+---
+# Internal Trusted PR Reviewer
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,66 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+name: lint
+
+on:
+  workflow_call:
+    inputs: {}
+
+env:
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - name: Setup mise
+      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+      with:
+        version: 2026.3.7
+        github_token: ${{ steps.app-auth.outputs.token }}
+        cache_save: false # A different job handles caching our tools.
+    - name: prepare workspace
+      continue-on-error: true
+      run: make prepare_local_workspace
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: lint
+      run: make lint
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -7,19 +7,12 @@ on:
    - v*.*.*-**
 env:
  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -28,15 +21,21 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TF_APPEND_USER_AGENT: pulumi
  IS_PRERELEASE: true

 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -48,27 +47,27 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
+        cache: 'true'
+        github_token: ${{ secrets.GITHUB_TOKEN }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
      with:
        repo: pulumi/schema-tools
    - name: Build codegen binaries
@@ -116,78 +115,28 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
-        contains(github.actor, 'renovate') && github.event_name ==
-        'pull_request'
-      shell: bash
-      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
-        git config --global user.email "bot@pulumi.com"
-
-        git config --global user.name "pulumi-bot"
-
-        # Stash local changes and check out the PR's branch directly.
-
-        git stash
-
-        git fetch
-
-        git checkout "origin/$HEAD_REF"
-
-
-        # Apply and add our changes, but don't commit any files we expect to
-
-        # always change due to versioning.
-
-        git stash pop
-
-        git add sdk
-
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
-
-        git commit -m 'Commit SDK for Renovate'
-
-
-        # Push with pulumi-bot credentials to trigger a re-run of the
-
-        # workflow. https://github.com/orgs/community/discussions/25702
-
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
-      env:
-        HEAD_REF: ${{ github.head_ref }}
+          sdk/java/build.gradle
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
@@ -212,7 +161,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -224,58 +173,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
-    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-    - name: UnTar provider binaries
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
-        github.workspace}}/bin
-    - name: Restore Binary Permissions
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
-        -exec chmod +x {} \;
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
@@ -291,65 +207,18 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit ${{ matrix.language }} SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
-        contains(github.actor, 'renovate') && github.event_name ==
-        'pull_request'
-      shell: bash
-      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
-        git config --global user.email "bot@pulumi.com"
-
-        git config --global user.name "pulumi-bot"
-
-        # Stash local changes and check out the PR's branch directly.
-
-        git stash
-
-        git fetch
-
-        git checkout "origin/$HEAD_REF"
-
-
-        # Apply and add our changes, but don't commit any files we expect to
-
-        # always change due to versioning.
-
-        git stash pop
-
-        git add sdk
-
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
-
-        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
-
-
-        # Push with pulumi-bot credentials to trigger a re-run of the
-
-        # workflow. https://github.com/orgs/community/discussions/25702
-
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
-      env:
-        HEAD_REF: ${{ github.head_ref }}
+          sdk/java/build.gradle
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
@@ -376,7 +245,7 @@ jobs:
      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -388,68 +257,30 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
-    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-    - name: UnTar provider binaries
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
-        github.workspace}}/bin
-    - name: Restore Binary Permissions
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
-        -exec chmod +x {} \;
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: ./.github/actions/download-sdk
      with:
-        name: ${{ matrix.language }}-sdk.tar.gz
-        path: ${{ github.workspace}}/sdk/
-    - name: UnTar SDK folder
-      if: ${{ matrix.language != 'yaml' }}
-      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
-        github.workspace}}/sdk/${{ matrix.language}}
+        language: ${{ matrix.language }}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
@@ -470,7 +301,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -501,7 +332,7 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
@@ -517,7 +348,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -529,18 +360,23 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -550,14 +386,8 @@ jobs:
        haskell: true
        swap-storage: true
        large-packages: false
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
@@ -573,15 +403,17 @@ jobs:
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
+        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
+        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
@@ -597,7 +429,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -609,45 +441,31 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download python SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -655,7 +473,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -663,7 +481,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -682,7 +500,7 @@ jobs:
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
@@ -699,7 +517,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -711,36 +529,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download java SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -748,7 +555,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
+      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
@@ -766,18 +573,18 @@ jobs:
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -10,7 +10,7 @@ jobs:
    name: comment-on-pr
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
    - name: Comment PR
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,19 +8,12 @@ on:
    - "!v*.*.*-**"
 env:
  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -29,6 +22,9 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TF_APPEND_USER_AGENT: pulumi

 jobs:
  prerequisites:
@@ -39,7 +35,7 @@ jobs:
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -51,27 +47,27 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
+        cache: 'true'
+        github_token: ${{ steps.app-auth.outputs.token }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
      with:
        repo: pulumi/schema-tools
    - name: Build codegen binaries
@@ -119,78 +115,28 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
-        contains(github.actor, 'renovate') && github.event_name ==
-        'pull_request'
-      shell: bash
-      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
-        git config --global user.email "bot@pulumi.com"
-
-        git config --global user.name "pulumi-bot"
-
-        # Stash local changes and check out the PR's branch directly.
-
-        git stash
-
-        git fetch
-
-        git checkout "origin/$HEAD_REF"
-
-
-        # Apply and add our changes, but don't commit any files we expect to
-
-        # always change due to versioning.
-
-        git stash pop
-
-        git add sdk
-
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
-
-        git commit -m 'Commit SDK for Renovate'
-
-
-        # Push with pulumi-bot credentials to trigger a re-run of the
-
-        # workflow. https://github.com/orgs/community/discussions/25702
-
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
-      env:
-        HEAD_REF: ${{ github.head_ref }}
+          sdk/java/build.gradle
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
@@ -215,7 +161,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -227,58 +173,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
-    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-    - name: UnTar provider binaries
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
-        github.workspace}}/bin
-    - name: Restore Binary Permissions
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
-        -exec chmod +x {} \;
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
@@ -294,65 +207,18 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
-        contains(github.actor, 'renovate') && github.event_name ==
-        'pull_request'
-      shell: bash
-      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
-        git config --global user.email "bot@pulumi.com"
-
-        git config --global user.name "pulumi-bot"
-
-        # Stash local changes and check out the PR's branch directly.
-
-        git stash
-
-        git fetch
-
-        git checkout "origin/$HEAD_REF"
-
-
-        # Apply and add our changes, but don't commit any files we expect to
-
-        # always change due to versioning.
-
-        git stash pop
-
-        git add sdk
-
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
-
-        git commit -m 'Commit SDK for Renovate'
-
-
-        # Push with pulumi-bot credentials to trigger a re-run of the
-
-        # workflow. https://github.com/orgs/community/discussions/25702
-
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
-      env:
-        HEAD_REF: ${{ github.head_ref }}
+          sdk/java/build.gradle
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
@@ -379,7 +245,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -391,68 +257,30 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
-    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-    - name: UnTar provider binaries
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
-        github.workspace}}/bin
-    - name: Restore Binary Permissions
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
-        -exec chmod +x {} \;
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: ./.github/actions/download-sdk
      with:
-        name: ${{ matrix.language }}-sdk.tar.gz
-        path: ${{ github.workspace}}/sdk/
-    - name: UnTar SDK folder
-      if: ${{ matrix.language != 'yaml' }}
-      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
-        github.workspace}}/sdk/${{ matrix.language}}
+        language: ${{ matrix.language }}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
@@ -473,7 +301,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -504,7 +332,7 @@ jobs:
        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
@@ -520,7 +348,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -532,18 +360,23 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -553,14 +386,8 @@ jobs:
        haskell: true
        swap-storage: true
        large-packages: false
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
@@ -576,15 +403,17 @@ jobs:
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
+        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
+        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 release --clean --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
@@ -600,7 +429,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -612,45 +441,31 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download python SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -658,7 +473,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -666,7 +481,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -685,7 +500,7 @@ jobs:
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
@@ -702,7 +517,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -714,36 +529,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download java SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -751,7 +555,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
+      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
@@ -769,18 +573,18 @@ jobs:
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -805,7 +609,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -817,8 +621,14 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
      with:
        repo: pulumi/pulumictl
    - name: Dispatch Event
--- a/.github/workflows/release_command.yml
+++ b/.github/workflows/release_command.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        persist-credentials: false    
    - env:
@@ -37,7 +37,7 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure()
      name: Notify failure
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -46,7 +46,7 @@ jobs:
          "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
    - if: success()
      name: Notify success
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -11,19 +11,12 @@ on:
  workflow_dispatch: {}
 env:
  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,6 +25,10 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
  comment-notification:
@@ -40,7 +37,7 @@ jobs:
    name: comment-notification
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
        persist-credentials: false
@@ -51,7 +48,7 @@ jobs:
        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
        >> "$GITHUB_OUTPUT"
    - name: Update with Result
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -65,7 +62,7 @@ jobs:
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
        persist-credentials: false
@@ -79,27 +76,27 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
+        cache: 'true'
+        github_token: ${{ steps.app-auth.outputs.token }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
      with:
        repo: pulumi/schema-tools
    - name: Build codegen binaries
@@ -147,14 +144,17 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+      # This worktree check is a safeguard against someone forgetting to
+      # re-build and commit locally, but we handle that commit automatically in
+      # the case of dependency bumps.
+      continue-on-error: ${{ contains(github.actor, 'renovate') }}
    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+      if: steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
        git config --global user.email "bot@pulumi.com"

        git config --global user.name "pulumi-bot"
@@ -169,12 +169,11 @@ jobs:


        # Apply and add our changes, but don't commit any files we expect to
-
        # always change due to versioning.

        git stash pop

-        git add sdk
+        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json

        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
@@ -187,9 +186,7 @@ jobs:

        git commit -m 'Commit SDK for Renovate'

-
        # Push with pulumi-bot credentials to trigger a re-run of the
-
        # workflow. https://github.com/orgs/community/discussions/25702

        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
@@ -201,24 +198,21 @@ jobs:
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
@@ -245,7 +239,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
        persist-credentials: false
@@ -259,49 +253,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -326,14 +296,14 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+      continue-on-error: ${{ contains(github.actor, 'renovate') }}
    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+      if: steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
-        git diff --quiet -- sdk && echo "no changes to sdk" && exit
-
        git config --global user.email "bot@pulumi.com"

        git config --global user.name "pulumi-bot"
@@ -346,14 +316,12 @@ jobs:

        git checkout "origin/$HEAD_REF"

-
        # Apply and add our changes, but don't commit any files we expect to
-
        # always change due to versioning.

        git stash pop

-        git add sdk
+        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json

        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
@@ -367,7 +335,6 @@ jobs:
        git commit -m 'Commit SDK for Renovate'

        # Push with pulumi-bot credentials to trigger a re-run of the
-
        # workflow. https://github.com/orgs/community/discussions/25702

        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
@@ -377,14 +344,14 @@ jobs:
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
        retention-days: 30
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
@@ -413,7 +380,7 @@ jobs:
      id-token: write
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
        persist-credentials: false
@@ -427,49 +394,25 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
-      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -481,7 +424,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -509,7 +452,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -540,7 +483,7 @@ jobs:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
@@ -554,7 +497,7 @@ jobs:
    name: sentinel
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true
        persist-credentials: false
@@ -569,7 +512,7 @@ jobs:
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Mark workflow as successful
-      uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
+      uses: guibranco/github-status-action-v2@77639353504055053524efa7a3719aaf0b731ce9 # v1.2.4
      with:
        authToken: ${{ secrets.GITHUB_TOKEN }}
        context: Sentinel
@@ -586,28 +529,8 @@ jobs:
    - prerequisites
    - lint
  lint:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Disarm go:embed directives to enable linters that compile source code
-      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
-        's/go:embed/ goembed/g'
-    - name: golangci-lint provider pkg
-      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
-      with:
-        version: ${{ env.GOLANGCI_LINT_VERSION }}
-        args: -c ../.golangci.yml
-        working-directory: provider
-    name: lint
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
+    name: lint
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
--- a/.github/workflows/shared/plugins/code-review/code-review.md
+++ b/.github/workflows/shared/plugins/code-review/code-review.md
@@ -0,0 +1,214 @@
+---
+description: High-signal PR review for gh-aw workflows using safe outputs
+---
+
+Provide a code review for the given pull request.
+
+**Agent assumptions (applies to all agents and subagents):**
+- All tools are functional and will work without error. Do not test tools or make exploratory calls. Make sure this is clear to every subagent that is launched.
+- Only call a tool if it is required to complete the task. Every tool call should have a clear purpose.
+- Use GitHub MCP tools for repository reads. Do not use `gh` CLI commands for repository inspection or for posting review output.
+- Use the workflow PR number as the authoritative target.
+- Review output must be terse and issue-focused. Do not praise the PR, narrate checks that passed, explain why code is correct, or offer "good change" commentary.
+- Use only gh-aw safe outputs for review side effects:
+  - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `resolve-pull-request-review-thread` for unresolved bot-authored review threads that are now fixed or clearly acknowledged
+  - `submit-pull-request-review` for the final review decision
+  - `noop` when no action should be taken
+- Use cache-memory only for short-lived continuity and deduplication hints. Treat live PR state and current review threads as the source of truth.
+- Never post free-form issue comments or use any side channel for review output.
+- Respect the workflow safe-output limits. Prioritize the highest-signal unique findings and keep the inline review set within the configured maximum.
+- Consult `.gitattributes` when relevant and treat files matched there as generated by default. Ignore findings that exist only in generated outputs such as `.lock.yml` files unless the corresponding source-of-truth files show a real behavioral problem.
+
+To do this, follow these steps precisely:
+
+1. Create a short todo list for yourself before starting.
+
+2. Launch a fast subagent to check if any of the following are true:
+   - The pull request is closed
+   - The pull request is a draft
+   - The pull request does not need code review (e.g. automated PR, trivial change that is obviously correct)
+   - Required PR context cannot be read from the workflow tools
+
+   If any condition is true, call `noop` with a brief reason and stop.
+
+Note: Do not skip solely because prior automated review comments exist. Use prior comments for deduplication and stale-thread cleanup instead.
+
+3. Read any prior review memory for this PR from cache-memory before you start detailed analysis.
+
+   Use a PR-specific file such as:
+   - `/tmp/gh-aw/cache-memory/pr-${PR_NUMBER}.json`
+
+   If a prior memory file exists, use it only as a hint for:
+   - Previously reported issues
+   - Dedupe patterns
+   - Prior review timestamps
+   - Risk areas worth re-checking
+
+   Do not trust cache-memory over current GitHub state. If memory conflicts with the live PR, changed files, or review threads, trust the live PR and ignore stale memory.
+
+4. Launch a fast subagent to return a list of file paths (not their contents) for all relevant `CLAUDE.md` files including:
+   - The root CLAUDE.md file, if it exists
+   - Any CLAUDE.md files in directories containing files modified by the pull request
+
+5. Launch a subagent to summarize:
+   - The PR title and description
+   - The changed files
+   - The main behavioral changes in the diff
+   - Any obvious risk areas worth checking carefully
+
+6. Fetch existing review comments and review threads on the PR before preparing any new findings. Use them to identify:
+   - Similar issues already flagged
+   - Threads where a human already acknowledged the feedback
+   - Comments on code that has changed since the earlier review and may now be stale
+   - Unresolved bot-authored review threads that may now be fixed or obsolete
+
+7. Launch 4 review subagents in parallel. Each agent should return a list of candidate issues, where each issue includes:
+   - A concise description
+   - The reason it was flagged (for example `CLAUDE.md adherence` or `bug`)
+   - The changed file path
+   - The changed line or closest changed hunk
+   - Why the issue is likely real
+
+   Agents 1 + 2: CLAUDE.md compliance sonnet agents
+   Audit changes for `CLAUDE.md` compliance in parallel. When evaluating a file, only consider `CLAUDE.md` files that share a path scope with that file or its parents.
+
+   Agent 3: bug-focused review agent
+   Scan for obvious bugs. Focus only on the diff itself without reading extra context. Flag only significant bugs; ignore nitpicks and likely false positives. Do not flag issues that you cannot validate without looking at context outside of the git diff.
+
+   Agent 4: behavior-focused review agent
+   Look for problems introduced by the new code, including security issues, incorrect logic, regressions, and missing error handling. Only look for issues that fall within changed code.
+
+   **CRITICAL: We only want HIGH SIGNAL issues.** Flag issues where:
+   - The code will fail to compile or parse (syntax errors, type errors, missing imports, unresolved references)
+   - The code will definitely produce wrong results regardless of inputs (clear logic errors)
+   - The code introduces a clear security or regression bug in changed lines
+   - Clear, unambiguous `CLAUDE.md` violations where you can quote the exact rule being broken
+
+   Do NOT flag:
+   - Code style or quality concerns
+   - Potential issues that depend on specific inputs or state
+   - Subjective suggestions or improvements
+
+   If you are not certain an issue is real, do not flag it. False positives erode trust and waste reviewer time.
+
+   Each review subagent should receive the PR title and description so it can evaluate intent.
+
+8. For each candidate issue, launch validation subagents in parallel. Each validator should receive the PR title, description, issue description, affected file, and affected hunk. The validator must confirm that the issue is real with high confidence.
+
+   For bug and logic issues, verify the changed code actually causes the stated problem.
+
+   For `CLAUDE.md` issues, verify both:
+   - The cited rule exists
+   - The rule applies to that file path and is actually violated
+
+9. Filter out any issue that fails validation.
+
+10. Deduplicate and prune the validated issue list. Remove:
+   - Issues already covered by an existing review comment
+   - Issues in threads where a human has already acknowledged the feedback
+   - Issues that were present in an earlier revision but are fixed in the latest code
+   - Duplicate findings reported by multiple subagents
+   - Findings that are not on changed lines or cannot be tied to a changed hunk
+   - Findings that only came from cache-memory and are not confirmed by the current PR state
+
+   Also create a separate internal list of review threads to resolve. A thread is eligible for resolution only when all of the following are true:
+   - The thread is currently unresolved
+   - The thread was started by this automation or another bot, not by a human reviewer
+   - The underlying issue is fixed in the latest diff, outdated, or explicitly acknowledged by a human as intentionally left as-is
+   - You have high confidence that resolving it will not hide an outstanding real issue
+
+   Never resolve human-authored review threads. When uncertain, leave the thread unresolved.
+
+11. Classify the remaining issues:
+   - `Blocking`: correctness, security, regression, data loss, or clear required-rule violations
+   - `Non-blocking`: actionable but not merge-blocking concerns that are still worth interrupting the author for now
+
+   Drop any candidate that is merely:
+   - praise
+   - reassurance
+   - a follow-up idea
+   - a readability suggestion with no concrete risk
+   - an observation that does not require author action
+
+12. Produce a short internal summary of findings for yourself:
+   - If issues remain, list the highest-signal ones first
+   - If no issues remain, summarize that no actionable high-signal issues were found
+
+13. If no actionable issues remain, submit exactly one final review with `submit-pull-request-review`:
+   - Use `APPROVE`
+   - Use one short sentence only, such as `No actionable issues found.`
+   - Do not create inline comments
+   - Do not include praise, summaries of what was checked, or correctness narration
+   - Before stopping, write a compact review memory file for this PR containing:
+     - review timestamp
+     - PR number
+     - files reviewed
+     - summary of what was checked
+     - `issues_reported: []`
+   - Stop after the final review is submitted and memory is updated
+
+14. If actionable issues remain, choose the highest-signal unique issues up to the safe-output comment limit. Create a list of planned inline comments for yourself before posting anything.
+
+   Prefer zero comments over low-signal comments. Non-blocking comments should be rare.
+
+15. Post one inline comment per chosen issue using `create-pull-request-review-comment`. For each comment:
+   - Provide a brief description of the issue
+   - Explain why it matters
+   - Reference the exact changed line
+   - Cite the relevant `CLAUDE.md` rule when applicable
+   - Keep the comment concise and actionable
+   - Do not post comments that merely suggest optional follow-up cleanup or extra documentation
+   - Do not post comments whose conclusion is that the code is acceptable as-is
+   - Do not post duplicate comments for the same issue
+
+16. Resolve eligible stale review threads using `resolve-pull-request-review-thread` before submitting the final review.
+   - Resolve only threads from your internal resolution list
+   - Resolve only bot-authored threads
+   - Do not add explanatory comments when resolving
+   - If no threads qualify, do nothing
+
+17. Submit exactly one final review using `submit-pull-request-review`:
+   - Use `REQUEST_CHANGES` when at least one blocking issue remains
+   - Use `APPROVE` otherwise, including when only non-blocking inline comments were left
+   - Do not use `COMMENT` as the final review state
+   - Keep the summary to one or two short sentences
+   - Do not restate inline comments in the final review; point readers to the inline comments instead
+   - Do not include praise, correctness checklists, or "overall LGTM" framing unless there are zero inline comments and you are using the exact terse approval style above
+
+18. After the final review is submitted, update the PR-specific cache-memory file with a compact record of this review. Store only short-lived operational state such as:
+   - review timestamp
+   - PR number
+   - files reviewed
+   - issue fingerprints or short summaries
+   - whether the final review was `APPROVE` or `REQUEST_CHANGES`
+
+   Do not store secrets, tokens, personal data, or large blobs. Keep the file concise so future runs can use it for continuity and dedupe.
+
+Use this list when evaluating issues in Steps 4 and 5 (these are false positives, do NOT flag):
+
+- Pre-existing issues
+- Something that appears to be a bug but is actually correct
+- Pedantic nitpicks that a senior engineer would not flag
+- Issues that a linter will catch (do not run the linter to verify)
+- General code quality concerns (e.g., lack of test coverage, general security issues) unless explicitly required in CLAUDE.md
+- Issues mentioned in CLAUDE.md but explicitly silenced in the code (e.g., via a lint ignore comment)
+- Differences that exist only in files classified as generated by `.gitattributes`, unless they expose a real issue in the source workflow, prompt, or other source-of-truth file
+- Explanations that a change is good, correct, well-structured, or acceptable as-is
+- Non-blocking observations that do not require the author to change anything now
+- Requests for extra comments or documentation unless their absence creates a concrete correctness risk
+
+Notes:
+
+- Use GitHub tools for all repository reads. Do not use web fetch.
+- Always operate on the workflow PR target rather than guessing from local git state.
+- Inline comments should only be created for actionable issues on changed lines.
+- If you leave inline comments, the final review should not repeat them.
+- Cache-memory is best-effort and may be missing or stale. Use it to improve continuity, never to override current repository state.
+- When linking to code in an inline comment, use a full GitHub blob URL with a full SHA and a line range, for example: https://github.com/anthropics/claude-code/blob/c21d3c10bc8e898b7ac1a2d745bdc9bc4e423afe/package.json#L10-L15
+  - Requires full git sha
+  - Do not use shell substitution in the URL
+  - Repo name must match the repo you're code reviewing
+  - Use `#L[start]-L[end]`
+  - Provide at least one line of context before and after when possible
+- If context checks fail or the PR is not reviewable, call `noop` with a brief explanation instead of exiting silently.
--- a/.github/workflows/shared/review.md
+++ b/.github/workflows/shared/review.md
@@ -0,0 +1,74 @@
+---
+permissions:
+  contents: read
+  pull-requests: read
+  id-token: write
+engine:
+  id: claude
+  env:
+    ANTHROPIC_API_KEY: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY || '__GH_AW_ACTIVATION_PLACEHOLDER__' }}
+steps:
+  - env:
+      ESC_ACTION_ENVIRONMENT: imports/github-secrets
+      ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+      ESC_ACTION_OIDC_AUTH: "true"
+      ESC_ACTION_OIDC_ORGANIZATION: pulumi
+      ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+    id: esc-secrets
+    name: Fetch secrets from ESC
+    uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5  # v1.5.0
+  - name: Validate ESC secret output
+    env:
+      ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+    run: |
+      test -n "$ANTHROPIC_API_KEY_FROM_ESC" || {
+        echo "ESC did not return ANTHROPIC_API_KEY";
+        exit 1;
+      }
+tools:
+  cache-memory: true
+  github:
+    toolsets: [pull_requests, repos]
+safe-outputs:
+  threat-detection: false
+  create-pull-request-review-comment:
+    max: 12
+    side: "RIGHT"
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+    target-repo: "${{ github.repository }}"
+  resolve-pull-request-review-thread:
+    max: 12
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+    target-repo: "${{ github.repository }}"
+  submit-pull-request-review:
+    max: 1
+    allowed-events: [APPROVE, REQUEST_CHANGES, COMMENT]
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+  noop:
+    max: 1
+  messages:
+    footer: "> Reviewed by [{workflow_name}]({run_url})"
+    run-started: "Started automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
+    run-success: "Finished automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
+    run-failure: "Automated PR review failed for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} ({status})."
+---
+
+
+Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository `${{ github.repository }}`.
+
+Workflow-specific rules:
+- Use `${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}` as the authoritative PR target.
+- Treat the imported review prompt as the source of the review procedure.
+- Use only gh-aw safe outputs for side effects:
+  - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `resolve-pull-request-review-thread` for previously reported bot-authored threads that are now fixed or clearly acknowledged
+  - `submit-pull-request-review` for the final review
+  - `noop` when the PR is not reviewable or required context is missing
+- Submit exactly one final review:
+  - `REQUEST_CHANGES` when at least one blocking issue exists.
+  - `APPROVE` otherwise, including when only non-blocking observations exist.
+  - Do not submit `COMMENT` as the final review state.
+- Do not post free-form issue comments outside safe outputs.
+- Respect the configured inline comment limit and prioritize the highest-signal unique findings.
+- Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
+- Ignore discovery steps intended for runs without PR context.
--- a/.github/workflows/weekly-pulumi-update.yml
+++ b/.github/workflows/weekly-pulumi-update.yml
@@ -8,19 +8,12 @@ on:
 env:
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -29,6 +22,10 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi

 jobs:
  weekly-pulumi-update:
@@ -36,7 +33,7 @@ jobs:
    permissions: write-all
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        lfs: true    
    - env:
@@ -48,40 +45,16 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
      with:
-        go-version: ${{ env.GOVERSION }}
-        cache-dependency-path: "**/*.sum"
-    - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
      with:
-        repo: pulumi/pulumictl
-    - name: Install Pulumi CLI
-      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
-    - name: Setup DotNet
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
-      with:
-        dotnet-version: ${{ env.DOTNETVERSION }}
-    - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
-      with:
-        node-version: ${{ env.NODEVERSION }}
-        registry-url: https://registry.npmjs.org
-    - name: Setup Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-      with:
-        python-version: ${{ env.PYTHONVERSION }}
-    - name: Setup Java
-      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
-      with:
-        java-version: ${{ env.JAVAVERSION }}
-        distribution: temurin
-        cache: gradle
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
-      with:
-        gradle-version: "7.6"
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Update Pulumi/Pulumi
      id: gomod
      run: >-
@@ -91,10 +64,10 @@ jobs:

        git checkout -b update-pulumi/${{ github.run_id }}-${{ github.run_number }}

-        find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3 github.com/pulumi/pulumi/sdk/v3; go mod tidy' \;
-
        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version

+        VERSION=$(cat .pulumi.version) find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3@v${VERSION} github.com/pulumi/pulumi/sdk/v3@v${VERSION}; go mod tidy' \;
+
        git update-index -q --refresh

        if ! git diff-files --quiet; then echo changes=1 >> "$GITHUB_OUTPUT"; fi
@@ -136,9 +109,7 @@ jobs:

        msg="Automated upgrade: bump pulumi/pulumi to ${ver}"

-        # See https://github.com/cli/cli/issues/6485#issuecomment-2560935183 for --head workaround
-
-        gh pr create -t "$msg" -b "$msg" --head "$(git branch --show-current)"
+        gh pr create -t "$msg" -b "$msg"
      env:
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    name: weekly-pulumi-update
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 **/.ionide
 **/.vscode
 *.swp
+.pulumi
 Pulumi.*.yaml
 yarn.lock
 ci-scripts
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,104 +1,53 @@
-run:
-  timeout: 10m
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt

+version: "2"
 linters:
-  enable-all: false
  enable:
-    - depguard
-    - errcheck
-    - exhaustive
-    - copyloopvar
-    - gci
-    - gocritic
-    - gofumpt
-    - goheader
+    - goconst
    - gosec
-    - govet
-    - importas
-    - ineffassign
    - lll
    - misspell
    - nakedret
-    - nolintlint
-    - paralleltest
-    - perfsprint
-    - prealloc
    - revive
    - unconvert
-    - unused
-
-linters-settings:
-  depguard:
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - schema.go
+      - pulumiManifest.go
+      - pkg/vendored
+      - third_party$
+      - builtin$
+      - examples$
    rules:
-      protobuf:
-        deny:
-          - pkg: "github.com/golang/protobuf"
-            desc: Use google.golang.org/protobuf instead
-  gci:
-    sections:
-      - standard # Standard section: captures all standard library packages.
-      - blank # Blank section: contains all blank imports.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
-      - prefix(github.com/pulumi/pulumi-dockerbuild/) # Custom section: local imports
-    custom-order: true
-  gocritic:
-    enable-all: true
-    disabled-checks:
-      - hugeParam
-      - importShadow
-  goheader:
-    template: |-
-      Copyright 2024, Pulumi Corporation.
-
-      Licensed under the Apache License, Version 2.0 (the "License");
-      you may not use this file except in compliance with the License.
-      You may obtain a copy of the License at
-
-          http://www.apache.org/licenses/LICENSE-2.0
-
-      Unless required by applicable law or agreed to in writing, software
-      distributed under the License is distributed on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-      See the License for the specific language governing permissions and
-      limitations under the License.
-  govet:
-    enable:
-      - nilness
-      # Reject comparisons of reflect.Value with DeepEqual or '=='.
-      - reflectvaluecompare
-      # Reject sort.Slice calls with a non-slice argument.
-      - sortslice
-      # Detect write to struct/arrays by-value that aren't read again.
-      - unusedwrite
-  nakedret:
-    # Make an issue if func has more lines of code than this setting, and it has naked returns.
-    # Default: 30
-    max-func-lines: 60
-  nolintlint:
-    # Some linter exclusions are added to generated or templated files
-    # pre-emptively.
-    # Don't complain about these.
-    allow-unused: true
-
-issues:
-  exclude-use-default: false
-  exclude-rules:
-    # Don't warn on unused parameters.
-    # Parameter names are useful; replacing them with '_' is undesirable.
-    - linters: [revive]
-      text: 'unused-parameter: parameter \S+ seems to be unused, consider removing or renaming it as _'
-
-    # staticcheck already has smarter checks for empty blocks.
-    # revive's empty-block linter has false positives.
-    # For example, as of writing this, the following is not allowed.
-    #   for foo() { }
-    - linters: [revive]
-      text: "empty-block: this block is empty, you can remove it"
-
-    # We *frequently* use the term 'new' in the context of properties
-    # (new and old properties),
-    # and we rarely use the 'new' built-in function.
-    # It's fine to ignore these cases.
-    - linters: [revive]
-      text: "redefines-builtin-id: redefinition of the built-in function new"
+      - linters:
+          - revive
+        path: pkg/
+        text: "var-naming" # https://github.com/pulumi/ci-mgmt/issues/2100
+formatters:
+  enable:
+    - gci
+    - gofmt
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard library packages.
+        - blank # Blank section: contains all blank imports.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
+        - prefix(github.com/pulumi/pulumi-docker-build) # Custom section: local imports
+      custom-order: true
+  exclusions:
+    generated: lax
+    paths:
+      - schema.go
+      - pulumiManifest.go
+      - pkg/vendored
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,5 +1,4 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
-
 project_name: pulumi-docker-build
 builds:
 - id: build-provider
--- a/.pulumi.version
+++ b/.pulumi.version
@@ -1 +1 @@
-3.192.0
+3.239.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,21 @@
 ## Unreleased

+### Fixed
+
+- Fixes a regression where a 404 status code during deletion wasn't considered deleted. (https://github.com/pulumi/pulumi-docker-build/issues/849)
+
+## 0.0.15 (2025-10-17)
+
+### Changed
+
+- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
+
+## 0.0.14 (2025-09-30)
+
+### Fixed
+
+- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
+
 ## 0.0.13 (2025-08-27)

 ### Changed
--- a/79
+++ b/79
@@ -17,8 +17,9 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4

-PULUMI           := bin/pulumi
-GOGLANGCILINT    := bin/golangci-lint
+PULUMI           := pulumi
+GOGLANGCILINT    := golangci-lint
+GOTEST           := go test

 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -46,10 +47,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))

 test_provider:: # Required by CI
-	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...

 test_examples: install_nodejs_sdk install_dotnet_sdk
-	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...

 test_all:: test_provider test_examples

@@ -57,43 +58,34 @@ test_all:: test_provider test_examples
 gen_examples:

 examples: $(shell mkdir -p examples)
-examples: sdk examples/yaml examples/go examples/nodejs examples/python examples/dotnet examples/java
+examples: sdk examples/yaml examples/go examples/nodejs examples/python examples/dotnet examples/java examples/hcl

 examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app

-examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod

-examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json

-examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt

-examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj

-examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml

-${PULUMI}: go.sum
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
-
-${GOGLANGCILINT}: go.sum
-	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
+examples/hcl: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,hcl)

 define pulumi_login
    export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
@@ -102,7 +94,7 @@ endef

 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	$(PULUMI) convert \
+	pulumi convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -140,7 +132,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build

 .PHONY: lint
-lint: ${GOGLANGCILINT}
+lint:
 	${GOGLANGCILINT} run --fix -c .golangci.yml

 install:: install_nodejs_sdk install_dotnet_sdk
@@ -193,6 +185,7 @@ bin/${PROVIDER}: $(shell find ./provider -name '*.go') go.mod
 	(cd provider && go build -o ../bin/${PROVIDER} -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))

 bin/pulumi-gen-${PACK}: # Required by CI
+	@mkdir -p bin
 	touch bin/pulumi-gen-${PACK}

 go.mod: $(shell find . -name '*.go')
@@ -205,7 +198,7 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*

 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: $(PULUMI) bin/${PROVIDER}
+sdk/python: bin/${PROVIDER}
 	rm -rf sdk/python
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
@@ -218,7 +211,7 @@ sdk/python: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.

 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: $(PULUMI) bin/${PROVIDER}
+sdk/nodejs: bin/${PROVIDER}
 	rm -rf sdk/nodejs
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
@@ -230,7 +223,7 @@ sdk/nodejs: $(PULUMI) bin/${PROVIDER}

 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: $(PULUMI) bin/${PROVIDER}
+sdk/go: bin/${PROVIDER}
 	rm -rf sdk/go
 	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
@@ -240,7 +233,7 @@ sdk/go: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go

 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: $(PULUMI) bin/${PROVIDER}
+sdk/dotnet: bin/${PROVIDER}
 	rm -rf sdk/dotnet
 	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
@@ -250,7 +243,7 @@ sdk/dotnet: $(PULUMI) bin/${PROVIDER}

 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: $(PULUMI) bin/${PROVIDER}
+sdk/java: bin/${PROVIDER}
 	rm -rf sdk/java
 	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build
@@ -260,29 +253,32 @@ docs: $(shell find docs/yaml -type f) $(shell find ./provider/internal/embed -na
 	go generate docs/generate.go
 	@touch docs

-# Set these variables to enable signing of the windows binary
+# Set these variables to enable signing of the windows binary with Azure Trusted Signing.
 AZURE_SIGNING_CLIENT_ID ?=
 AZURE_SIGNING_CLIENT_SECRET ?=
 AZURE_SIGNING_TENANT_ID ?=
-AZURE_SIGNING_KEY_VAULT_URI ?=
+AZURE_SIGNING_ACCOUNT_ENDPOINT ?=
+AZURE_SIGNING_ACCOUNT_NAME ?=
+AZURE_SIGNING_CERT_PROFILE_NAME ?=
 SKIP_SIGNING ?=

-bin/jsign-6.0.jar:
-	wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar
+bin/jsign-7.4.jar:
+	@mkdir -p bin
+	wget https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar --output-document=bin/jsign-7.4.jar

 sign-goreleaser-exe-amd64: GORELEASER_ARCH := amd64_v1
 sign-goreleaser-exe-arm64: GORELEASER_ARCH := arm64

 # Set the shell to bash to allow for the use of bash syntax.
 sign-goreleaser-exe-%: SHELL:=/bin/bash
-sign-goreleaser-exe-%: bin/jsign-6.0.jar
+sign-goreleaser-exe-%: bin/jsign-7.4.jar
 	@# Only sign windows binary if fully configured.
 	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
 	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
 	@set -e; \
 	if [[ "${SKIP_SIGNING}" != "true" ]]; then \
-		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
-			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
+		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_ACCOUNT_ENDPOINT}|${AZURE_SIGNING_ACCOUNT_NAME}|${AZURE_SIGNING_CERT_PROFILE_NAME}|" == *"||"* ]]; then \
+			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_ACCOUNT_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, AZURE_SIGNING_CERT_PROFILE_NAME"; \
 			echo "To rebuild with signing delete the unsigned windows exe file and rebuild with the fixed configuration"; \
 			if [[ "${CI}" == "true" ]]; then exit 1; fi; \
 		else \
@@ -293,12 +289,15 @@ sign-goreleaser-exe-%: bin/jsign-6.0.jar
 				--password "${AZURE_SIGNING_CLIENT_SECRET}" \
 				--tenant "${AZURE_SIGNING_TENANT_ID}" \
 				--output none; \
-			ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
-			java -jar bin/jsign-6.0.jar \
-				--storetype AZUREKEYVAULT \
-				--keystore "PulumiCodeSigning" \
-				--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
+			ACCESS_TOKEN=$$(az account get-access-token --resource "https://codesigning.azure.net" | jq -r .accessToken); \
+			ENDPOINT_HOST="$${AZURE_SIGNING_ACCOUNT_ENDPOINT#https://}"; \
+			ENDPOINT_HOST="$${ENDPOINT_HOST#http://}"; \
+			ENDPOINT_HOST="$${ENDPOINT_HOST%/}"; \
+			java -jar bin/jsign-7.4.jar \
+				--storetype TRUSTEDSIGNING \
+				--keystore "$${ENDPOINT_HOST}" \
 				--storepass "$${ACCESS_TOKEN}" \
+				--alias "${AZURE_SIGNING_ACCOUNT_NAME}/${AZURE_SIGNING_CERT_PROFILE_NAME}" \
 				$${file}.unsigned; \
 			mv $${file}.unsigned $${file}; \
 			az logout; \
--- a/bin/pulumi-language-python-exec
+++ b/bin/pulumi-language-python-exec
@@ -1,204 +0,0 @@
-#!/usr/bin/env python
-# Copyright 2016-2018, Pulumi Corporation.  All rights reserved.
-
-import argparse
-import asyncio
-from typing import Optional
-import logging
-import os
-import sys
-import traceback
-import runpy
-from concurrent.futures import ThreadPoolExecutor
-
-# The user might not have installed Pulumi yet in their environment - provide a high-quality error message in that case.
-try:
-    import pulumi
-    import pulumi.runtime
-except ImportError:
-    # For whatever reason, sys.stderr.write is not picked up by the engine as a message, but 'print' is. The Python
-    # langhost automatically flushes stdout and stderr on shutdown, so we don't need to do it here - just trust that
-    # Python does the sane thing when printing to stderr.
-    print(traceback.format_exc(), file=sys.stderr)
-    print("""
-It looks like the Pulumi SDK has not been installed. Have you run pip install?
-If you are running in a virtualenv, you must run pip install -r requirements.txt from inside the virtualenv.""", file=sys.stderr)
-    sys.exit(1)
-
-# use exit code 32 to signal to the language host that an error message was displayed to the user
-PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE = 32
-
-def get_abs_module_path(mod_path):
-    path, ext = os.path.splitext(mod_path)
-    if not ext:
-        path = os.path.join(path, '__main__')
-    return os.path.abspath(path)
-
-
-def _get_user_stacktrace(user_program_abspath: str) -> str:
-    '''grabs the current stacktrace and truncates it to show the only stacks pertaining to a user's program'''
-    tb = traceback.extract_tb(sys.exc_info()[2])
-
-    for frame_index, frame in enumerate(tb):
-        # loop over stack frames until we reach the main program
-        # then return the traceback truncated to the user's code
-        cur_module = frame[0]
-        if get_abs_module_path(user_program_abspath) == get_abs_module_path(cur_module):
-            # we have detected the start of a user's stack trace
-            remaining_frames = len(tb)-frame_index
-
-            # include remaining frames from the bottom by negating
-            return traceback.format_exc(limit=-remaining_frames)
-
-    # we did not detect a __main__ program, return normal traceback
-    return traceback.format_exc()
-
-def _set_default_executor(loop, parallelism: Optional[int]):
-    '''configure this event loop to respect the settings provided.'''
-    if parallelism is None:
-        return
-    parallelism = max(parallelism, 1)
-    exec = ThreadPoolExecutor(max_workers=parallelism)
-    loop.set_default_executor(exec)
-
-if __name__ == "__main__":
-    # Parse the arguments, program name, and optional arguments.
-    ap = argparse.ArgumentParser(description='Execute a Pulumi Python program')
-    ap.add_argument('--project', help='Set the project name')
-    ap.add_argument('--stack', help='Set the stack name')
-    ap.add_argument('--parallel', help='Run P resource operations in parallel (default=none)')
-    ap.add_argument('--dry_run', help='Simulate resource changes, but without making them')
-    ap.add_argument('--pwd', help='Change the working directory before running the program')
-    ap.add_argument('--monitor', help='An RPC address for the resource monitor to connect to')
-    ap.add_argument('--engine', help='An RPC address for the engine to connect to')
-    ap.add_argument('--tracing', help='A Zipkin-compatible endpoint to send tracing data to')
-    ap.add_argument('--organization', help='Set the organization name')
-    ap.add_argument('PROGRAM', help='The Python program to run')
-    ap.add_argument('ARGS', help='Arguments to pass to the program', nargs='*')
-    args = ap.parse_args()
-
-    # If any config variables are present, parse and set them, so subsequent accesses are fast.
-    config_env = pulumi.runtime.get_config_env()
-    if hasattr(pulumi.runtime, "get_config_secret_keys_env") and hasattr(pulumi.runtime, "set_all_config"):
-        # If the pulumi SDK has `get_config_secret_keys_env` and `set_all_config`, use them
-        # to set the config and secret keys.
-        config_secret_keys_env = pulumi.runtime.get_config_secret_keys_env()
-        pulumi.runtime.set_all_config(config_env, config_secret_keys_env)
-    else:
-        # Otherwise, fallback to setting individual config values.
-        for k, v in config_env.items():
-            pulumi.runtime.set_config(k, v)
-
-    # Configure the runtime so that the user program hooks up to Pulumi as appropriate.
-    # New versions of pulumi python support setting organization, old versions do not
-    try:
-        settings = pulumi.runtime.Settings(
-            monitor=args.monitor,
-            engine=args.engine,
-            project=args.project,
-            stack=args.stack,
-            parallel=int(args.parallel),
-            dry_run=args.dry_run == "true",
-            organization=args.organization,
-        )
-    except TypeError:
-        settings = pulumi.runtime.Settings(
-            monitor=args.monitor,
-            engine=args.engine,
-            project=args.project,
-            stack=args.stack,
-            parallel=int(args.parallel),
-            dry_run=args.dry_run == "true"
-        )
-
-    pulumi.runtime.configure(settings)
-
-    # Finally, swap in the args, chdir if needed, and run the program as if it had been executed directly.
-    sys.argv = [args.PROGRAM] + args.ARGS
-    if args.pwd is not None:
-        os.chdir(args.pwd)
-
-    successful = False
-
-    try:
-        # The docs for get_running_loop are somewhat misleading because they state:
-        # This function can only be called from a coroutine or a callback. However, if the function is
-        # called from outside a coroutine or callback (the standard case when running `pulumi up`), the function
-        # raises a RuntimeError as expected and falls through to the exception clause below.
-        loop = asyncio.get_running_loop()
-    except RuntimeError:
-        loop = asyncio.new_event_loop()
-        asyncio.set_event_loop(loop)
-    
-    # Configure the event loop to respect the parallelism value provided as input.
-    _set_default_executor(loop, settings.parallel)
-
-    # We are (unfortunately) suppressing the log output of asyncio to avoid showing to users some of the bad things we
-    # do in our programming model.
-    #
-    # Fundamentally, Pulumi is a way for users to build asynchronous dataflow graphs that, as their deployments
-    # progress, resolve naturally and eventually result in the complete resolution of the graph. If one node in the
-    # graph fails (i.e. a resource fails to create, there's an exception in an apply, etc.), part of the graph remains
-    # unevaluated at the time that we exit.
-    #
-    # asyncio abhors this. It gets very upset if the process terminates without having observed every future that we
-    # have resolved. If we are terminating abnormally, it is highly likely that we are not going to observe every single
-    # future that we have created. Furthermore, it's *harmless* to do this - asyncio logs errors because it thinks it
-    # needs to tell users that they're doing bad things (which, to their credit, they are), but we are doing this
-    # deliberately.
-    #
-    # In order to paper over this for our users, we simply turn off the logger for asyncio. Users won't see any asyncio
-    # error messages, but if they stick to the Pulumi programming model, they wouldn't be seeing any anyway.
-    logging.getLogger("asyncio").setLevel(logging.CRITICAL)
-    exit_code = 1
-    try:
-        # record the location of the user's program to return user tracebacks
-        user_program_abspath = os.path.abspath(args.PROGRAM)
-        def run():
-            try:
-                runpy.run_path(args.PROGRAM, run_name='__main__')
-            except ImportError as e:
-                def fix_module_file(m: str) -> str:
-                    # Work around python 11 reporting "<frozen runpy>" rather
-                    # than runpy.__file__ in the traceback.
-                    return runpy.__file__ if m == "<frozen runpy>" else m
-
-                # detect if the main pulumi python program does not exist
-                stack_modules = [fix_module_file(f.filename) for f in traceback.extract_tb(e.__traceback__)]
-                unique_modules = set(module for module in stack_modules)
-                last_module_name = stack_modules[-1]
-
-                # we identify a missing program error if
-                # 1. the only modules in the stack trace are
-                #   - `pulumi-language-python-exec`
-                #   - `runpy`
-                # 2. the last function in the stack trace is in the `runpy` module
-                if unique_modules == {
-                            __file__, # the language runtime itself
-                            runpy.__file__,
-                        } and last_module_name == runpy.__file__ :
-                    # this error will only be hit when the user provides a directory
-                    # the engine has a check to determine if the `main` file exists and will fail early
-
-                    # if a language runtime receives a directory, it's the language's responsibility to determine
-                    # whether the provided directory has a pulumi program
-                    pulumi.log.error(f"unable to find main python program `__main__.py` in `{user_program_abspath}`")
-                    sys.exit(PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE)
-                else:
-                    raise e
-
-        coro = pulumi.runtime.run_in_stack(run)
-        loop.run_until_complete(coro)
-        exit_code = 0
-    except pulumi.RunError as e:
-        pulumi.log.error(str(e))
-    except Exception:
-        error_msg = "Program failed with an unhandled exception:\n" + _get_user_stacktrace(user_program_abspath)
-        pulumi.log.error(error_msg)
-        exit_code = PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE
-    finally:
-        loop.close()
-        sys.stdout.flush()
-        sys.stderr.flush()
-
-    sys.exit(exit_code)
--- a/docs/_index.md
+++ b/docs/_index.md
@@ -0,0 +1,428 @@
+---
+title: Docker Build
+meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
+layout: package
+---
+
+The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
+
+Not to be confused with the earlier
+[Docker](../docker) provider, which is still
+appropriate for managing resources unrelated to building images.
+
+| Provider               | Use cases                                                               |
+| ----------------       | ----------------------------------------------------------------------- |
+| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
+| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
+
+## Example
+
+If your Pulumi program has a directory called `app` alongside it, containing a
+file named "Dockerfile" (which can be as simple as `FROM alpine` for the
+purpose of example), then the code below shows how to build a multi-platform
+image, publish it to a remote AWS ECR registry, and use an [inline
+cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
+subsequent builds.
+
+{{< chooser language "typescript,python,csharp,go,yaml,java" >}}
+
+{{% choosable language typescript %}}
+
+```typescript
+import * as aws from "@pulumi/aws";
+import * as docker_build from "@pulumi/docker-build";
+
+// Create an ECR repository for pushing.
+const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
+
+// Grab auth credentials for ECR.
+const authToken = aws.ecr.getAuthorizationTokenOutput({
+    registryId: ecrRepository.registryId,
+});
+
+// Build and push an image to ECR with inline caching.
+const myImage = new docker_build.Image("my-image", {
+    // Tag our image with our ECR repository's address.
+    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
+    context: {
+        location: "./app",
+    },
+    // Use the pushed image as a cache source.
+    cacheFrom: [{
+        registry: {
+            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
+        },
+    }],
+    // Include an inline cache with our pushed image.
+    cacheTo: [{
+        inline: {},
+    }],
+    // Build a multi-platform image manifest for ARM and AMD.
+    platforms: [
+        "linux/amd64",
+        "linux/arm64",
+    ],
+    // Push the final result to ECR.
+    push: true,
+    // Provide our ECR credentials.
+    registries: [{
+        address: ecrRepository.repositoryUrl,
+        password: authToken.password,
+        username: authToken.userName,
+    }],
+});
+
+// Export a ref for the pushed images so we can deploy it.
+export const ref = myImage.ref;
+```
+
+{{% /choosable %}}
+
+{{% choosable language python %}}
+
+```python
+import pulumi
+import pulumi_aws as aws
+import pulumi_docker_build as docker_build
+
+# Create an ECR repository for pushing.
+ecr_repository = aws.ecr.Repository("ecr-repository")
+
+# Grab auth credentials for ECR.
+auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
+
+# Build and push an image to ECR with inline caching.
+my_image = docker_build.Image("my-image",
+    # Tag our image with our ECR repository's address.
+    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    # Use the pushed image as a cache source.
+    cache_from=[docker_build.CacheFromArgs(
+        registry=docker_build.CacheFromRegistryArgs(
+            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
+        ),
+    )],
+    # Include an inline cache with our pushed image.
+    cache_to=[docker_build.CacheToArgs(
+        inline=docker_build.CacheToInlineArgs(),
+    )],
+    # Build a multi-platform image manifest for ARM and AMD.
+    platforms=[
+        docker_build.Platform.LINUX_AMD64,
+        docker_build.Platform.LINUX_ARM64,
+    ],
+    # Push the final result to ECR.
+    push=True,
+    # Provide our ECR credentials.
+    registries=[docker_build.RegistryArgs(
+        address=ecr_repository.repository_url,
+        password=auth_token.password,
+        username=auth_token.user_name,
+    )],
+)
+
+# Export a ref for the pushed images so we can deploy it.
+pulumi.export("ref", my_image.ref)
+```
+
+{{% /choosable %}}
+
+{{% choosable language csharp %}}
+
+```csharp
+using System.Collections.Generic;
+using System.Linq;
+using Pulumi;
+using Aws = Pulumi.Aws;
+using DockerBuild = Pulumi.DockerBuild;
+
+return await Deployment.RunAsync(() =>
+{
+    // Create an ECR repository for pushing.
+    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
+
+    // Grab auth credentials for ECR.
+    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
+    {
+        RegistryId = ecrRepository.RegistryId,
+    });
+
+    // Build and push an image to ECR with inline caching.
+    var myImage = new DockerBuild.Image("my-image", new()
+    {
+        // Tag our image with our ECR repository's address.
+        Tags = new[]
+        {
+            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        // Use the pushed image as a cache source.
+        CacheFrom = new[]
+        {
+            new DockerBuild.Inputs.CacheFromArgs
+            {
+                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
+                {
+                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+                },
+            },
+        },
+        // Include an inline cache with our pushed image.
+        CacheTo = new[]
+        {
+            new DockerBuild.Inputs.CacheToArgs
+            {
+                Inline = null,
+            },
+        },
+        // Build a multi-platform image manifest for ARM and AMD.
+        Platforms = new[]
+        {
+            DockerBuild.Platform.Linux_amd64,
+            DockerBuild.Platform.Linux_arm64,
+        },
+        // Push the final result to ECR.
+        Push = true,
+        // Provide our ECR credentials.
+        Registries = new[]
+        {
+            new DockerBuild.Inputs.RegistryArgs
+            {
+                Address = ecrRepository.RepositoryUrl,
+                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
+                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
+            },
+        },
+    });
+
+    // Export a ref for the pushed images so we can deploy it.
+    return new Dictionary<string, object?>
+    {
+        ["ref"] = myImage.Ref,
+    };
+});
+
+```
+
+{{% /choosable %}}
+
+{{% choosable language go %}}
+
+```go
+package main
+
+import (
+    "fmt"
+
+    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
+    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+)
+
+func main() {
+    pulumi.Run(func(ctx *pulumi.Context) error {
+        // Create an ECR repository for pushing.
+        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
+        if err != nil {
+            return err
+        }
+
+        // Grab auth credentials for ECR.
+        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
+            RegistryId: ecrRepository.RegistryId,
+        }, nil)
+
+        // Build and push an image to ECR with inline caching.
+        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
+            // Tag our image with our ECR repository's address.
+            Tags: pulumi.StringArray{
+                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                }).(pulumi.StringOutput),
+            },
+            Context: &dockerbuild.BuildContextArgs{
+                Location: pulumi.String("./app"),
+            },
+            // Use the pushed image as a cache source.
+            CacheFrom: dockerbuild.CacheFromArray{
+                &dockerbuild.CacheFromArgs{
+                    Registry: &dockerbuild.CacheFromRegistryArgs{
+                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                        }).(pulumi.StringOutput),
+                    },
+                },
+            },
+            // Include an inline cache with our pushed image.
+            CacheTo: dockerbuild.CacheToArray{
+                &dockerbuild.CacheToArgs{
+                    Inline: nil,
+                },
+            },
+            // Build a multi-platform image manifest for ARM and AMD.
+            Platforms: dockerbuild.PlatformArray{
+                dockerbuild.Platform_Linux_amd64,
+                dockerbuild.Platform_Linux_arm64,
+            },
+            // Push the final result to ECR.
+            Push: pulumi.Bool(true),
+            // Provide our ECR credentials.
+            Registries: dockerbuild.RegistryArray{
+                &dockerbuild.RegistryArgs{
+                    Address: ecrRepository.RepositoryUrl,
+                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.Password, nil
+                    }).(pulumi.StringPtrOutput),
+                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.UserName, nil
+                    }).(pulumi.StringPtrOutput),
+                },
+            },
+        })
+        if err != nil {
+            return err
+        }
+
+        // Export a ref for the pushed images so we can deploy it.
+        ctx.Export("ref", myImage.Ref)
+        return nil
+    })
+}
+```
+
+{{% /choosable %}}
+
+{{% choosable language yaml %}}
+
+```yaml
+description: Push to AWS ECR with caching
+name: ecr
+outputs:
+    ref: ${my-image.ref}
+resources:
+    # Create an ECR repository for pushing.
+    ecr-repository:
+        type: aws:ecr:Repository
+
+    # Build and push an image to ECR with inline caching.
+    my-image:
+        type: docker-build:Image
+        properties:
+            # Tag our image with our ECR repository's address.
+            tags:
+                - ${ecr-repository.repositoryUrl}:latest
+            context:
+                location: ./app
+            # Use the pushed image as a cache source.
+            cacheFrom:
+                - registry:
+                    ref: ${ecr-repository.repositoryUrl}:latest
+            # Include an inline cache with our pushed image.
+            cacheTo:
+                - inline: {}
+            # Build a multi-platform image manifest for ARM and AMD.
+            platforms:
+                - linux/amd64
+                - linux/arm64
+            # Push the final result to ECR.
+            push: true
+            # Provide our ECR credentials.
+            registries:
+                - address: ${ecr-repository.repositoryUrl}
+                  password: ${auth-token.password}
+                  username: ${auth-token.userName}
+
+runtime: yaml
+variables:
+    auth-token:
+        # Grab auth credentials for ECR.
+        fn::aws:ecr:getAuthorizationToken:
+            registryId: ${ecr-repository.registryId}
+```
+
+{{% /choosable %}}
+
+{{% choosable language java %}}
+
+```java
+package myapp;
+
+import com.pulumi.Context;
+import com.pulumi.Pulumi;
+import com.pulumi.core.Output;
+import com.pulumi.aws.ecr.Repository;
+import com.pulumi.aws.ecr.EcrFunctions;
+import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
+import com.pulumi.dockerbuild.Image;
+import com.pulumi.dockerbuild.ImageArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
+import com.pulumi.dockerbuild.inputs.CacheToArgs;
+import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
+import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import com.pulumi.dockerbuild.inputs.RegistryArgs;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public class App {
+    public static void main(String[] args) {
+        Pulumi.run(App::stack);
+    }
+
+    public static void stack(Context ctx) {
+        // Create an ECR repository for pushing.
+        var ecrRepository = new Repository("ecrRepository");
+
+        // Grab auth credentials for ECR.
+        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
+            .registryId(ecrRepository.registryId())
+            .build());
+
+        // Build and push an image to ECR with inline caching.
+        var myImage = new Image("myImage", ImageArgs.builder()
+            // Tag our image with our ECR repository's address.
+            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+            .context(BuildContextArgs.builder()
+                .location("./app")
+                .build())
+            // Use the pushed image as a cache source.
+            .cacheFrom(CacheFromArgs.builder()
+                .registry(CacheFromRegistryArgs.builder()
+                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+                    .build())
+                .build())
+            // Include an inline cache with our pushed image.
+            .cacheTo(CacheToArgs.builder()
+                .inline()
+                .build())
+            // Build a multi-platform image manifest for ARM and AMD.
+            .platforms(
+                "linux/amd64",
+                "linux/arm64")
+            // Push the final result to ECR.
+            .push(true)
+            // Provide our ECR credentials.
+            .registries(RegistryArgs.builder()
+                .address(ecrRepository.repositoryUrl())
+                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
+                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
+                .build())
+            .build());
+
+        ctx.export("ref", myImage.ref());
+    }
+}
+```
+
+{{% /choosable %}}
+
+{{< /chooser >}}
--- a/docs/generate.go
+++ b/docs/generate.go
@@ -81,6 +81,7 @@ func markdownExample(description string,
 	csharp string,
 	golang string,
 	yaml string,
+	hcl string,
 	java string,
 ) string {
 	return fmt.Sprintf("{{%% example %%}}\n### %s\n\n"+
@@ -89,9 +90,10 @@ func markdownExample(description string,
 		"```csharp\n%s```\n"+
 		"```go\n%s```\n"+
 		"```yaml\n%s```\n"+
+		"```hcl\n%s```\n"+
 		"```java\n%s```\n"+
 		"{{%% /example %%}}\n",
-		description, typescript, python, csharp, golang, yaml, java)
+		description, typescript, python, csharp, golang, yaml, hcl, java)
 }

 func convert(language, tempDir, programFile string) (string, error) {
@@ -186,6 +188,10 @@ func processYaml(path, mdDir string) error {
 			if err != nil {
 				return false, err
 			}
+			hcl, err := convert("hcl", dir, "program.hcl")
+			if err != nil {
+				return false, err
+			}

 			yamlContent, err := os.ReadFile(filepath.Clean(filepath.Join(dir, "Pulumi.yaml")))
 			if err != nil {
@@ -193,7 +199,9 @@ func processYaml(path, mdDir string) error {
 			}
 			yaml := string(yamlContent)

-			exampleStrings = append(exampleStrings, markdownExample(description, typescript, python, csharp, golang, yaml, java))
+			exampleStrings = append(exampleStrings, markdownExample(
+				description, typescript, python, csharp, golang, yaml, hcl, java,
+			))

 			return true, nil
 		}()
--- a/docs/installation-configuration.md
+++ b/docs/installation-configuration.md
@@ -0,0 +1,33 @@
+---
+title: Docker-Build Installation & Configuration
+meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
+layout: package
+---
+
+The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
+
+## Installation
+
+The Docker-Build provider is available as a package in all Pulumi languages:
+
+* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
+* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
+* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
+* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
+* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
+
+## Configuring The Provider
+
+### Host
+
+The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
+
+```bash
+$ export DOCKER_HOST=tcp://127.0.0.1:2376/
+```
+
+This can also be specified in your stack's configuration:
+
+```bash
+$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
+```
--- a/docs/yaml/image-examples.yaml
+++ b/docs/yaml/image-examples.yaml
@@ -62,7 +62,7 @@ resources:
          username: pulumibot
          password: ${dockerHubPassword}
 outputs:
-  ref: ${my-image.ref}
+  ref: ${image.ref}
 ---
 name: caching
 runtime: yaml
--- a/examples/dotnet_test.go
+++ b/examples/dotnet_test.go
@@ -10,8 +10,9 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 )

 func TestDotNetExample(t *testing.T) {
--- a/examples/go/go.mod
+++ b/examples/go/go.mod
@@ -1,17 +1,14 @@
 module provider-docker-build

-go 1.24.1
-
-toolchain go1.24.5
+go 1.25.8

 require (
-	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12
-	github.com/pulumi/pulumi/sdk/v3 v3.192.0
+	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18
+	github.com/pulumi/pulumi/sdk/v3 v3.242.0
 )

 require (
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
@@ -19,80 +16,103 @@ require (
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/charmbracelet/bubbles v0.21.0 // indirect
-	github.com/charmbracelet/bubbletea v1.3.4 // indirect
-	github.com/charmbracelet/colorprofile v0.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charmbracelet/bubbles v1.0.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.10 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
-	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/charmbracelet/x/ansi v0.11.7 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/clipperhouse/displaywidth v0.11.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-git/go-git/v5 v5.16.0 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
+	github.com/go-git/go-git/v5 v5.19.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.2.4 // indirect
+	github.com/golang/glog v1.2.5 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
+	github.com/hashicorp/go-version v1.9.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.23 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pgavlin/fx/v2 v2.0.12 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.17.0 // indirect
+	github.com/pulumi/esc v0.24.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.16.2 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	github.com/zclconf/go-cty v1.17.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/featuregate v1.58.0 // indirect
+	go.opentelemetry.io/collector/pdata v1.58.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 // indirect
+	google.golang.org/grpc v1.81.1 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/frand v1.5.1 // indirect
--- a/examples/go/go.sum
+++ b/examples/go/go.sum
@@ -1,7 +1,5 @@
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
-github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -23,27 +21,35 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
-github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
-github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
-github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
-github.com/charmbracelet/colorprofile v0.3.0 h1:KtLh9uuu1RCt+Hml4s6Hz+kB1PfV3wi++1h5ia65yKQ=
-github.com/charmbracelet/colorprofile v0.3.0/go.mod h1:oHJ340RS2nmG1zRGPmhJKJ/jf4FPNNk0P39/wBPA1G0=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/charmbracelet/bubbles v1.0.0 h1:12J8/ak/uCZEMQ6KU7pcfwceyjLlWsDLAxB5fXonfvc=
+github.com/charmbracelet/bubbles v1.0.0/go.mod h1:9d/Zd5GdnauMI5ivUIVisuEm3ave1XwXtD1ckyV6r3E=
+github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
+github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
-github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
-github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
-github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
-github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
-github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
-github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI=
+github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ=
+github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI=
+github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q=
+github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
+github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
 github.com/cheggaaa/pb v1.0.29 h1:FckUN5ngEk2LpvuG0fw1GEFx6LtyY2pWI/Z2QgCnEYo=
 github.com/cheggaaa/pb v1.0.29/go.mod h1:W40334L7FMC5JKWldsTWbdGjLo0RxUKK73K+TuPxX30=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
+github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
-github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -57,37 +63,41 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
-github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
-github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ=
-github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
+github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
-github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
+github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 h1:5VipnvEpbqr2gA2VbM+nYVbkIF28c5ZQfqCBQ5g2xfk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0/go.mod h1:Hyl3n6Twe1hvtd9XUXDec4pTvgMSEixRuQKPTMH2bNs=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -95,17 +105,25 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
-github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
+github.com/hashicorp/go-version v1.9.0 h1:CeOIz6k+LoN3qX9Z0tyQrPtiB1DFYRPfCIBtaXPSCnA=
+github.com/hashicorp/go-version v1.9.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
+github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -113,24 +131,30 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
-github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4=
+github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw=
+github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
@@ -146,10 +170,10 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
 github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
-github.com/pgavlin/fx/v2 v2.0.3 h1:ZBVklTFjxcWvBVPE+ti5qwnmTIQ0Gq6nuj3J5RKDtKk=
-github.com/pgavlin/fx/v2 v2.0.3/go.mod h1:Cvnwqq0BopdHUJ7CU50h1XPeKrF4ZwdFj1nJLXbAjCE=
-github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
-github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pgavlin/fx/v2 v2.0.12 h1:SjjaJ68Dt8Z4zHwOpY/RPijd7lShs6xYupJbF9ra00M=
+github.com/pgavlin/fx/v2 v2.0.12/go.mod h1:M/nF/ooAOy+NUBooYYXl2REARzJ/giPJxfMs8fINfKc=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
@@ -159,33 +183,31 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
-github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
-github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12 h1:uzmw+0iic764m0Yvh4I/jRV1x3q49dVh5Ctq9RllsQ8=
-github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12/go.mod h1:6zFMe786NvFDO03BVJwdw1R/Yms4F6vAU49iBHo8zbQ=
-github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/pulumi/esc v0.24.0 h1:sCtiB0qbyrlU1ZNzJn4dTLYiChl8xeCBFbHWl1YoXJg=
+github.com/pulumi/esc v0.24.0/go.mod h1:eCOOkcDJS6eooGwdE4/E0+pOsvUWG254+KBmPCFwJpA=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18 h1:emkSEfjXfz7i2vNDi43WTqABhP9TY2mQnO2zdL683hw=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18/go.mod h1:BriBqoV2I/58/AZy4/4oJfoiJYX7Nf/NxsAmGXDgvgo=
+github.com/pulumi/pulumi/sdk/v3 v3.242.0 h1:gQIZ1ALbT5gCMuRoBscGzk7Rdbx9mbOc+YwDFxvRyss=
+github.com/pulumi/pulumi/sdk/v3 v3.242.0/go.mod h1:P9VS6pQws3YBu67uszFRHn24n5AwzeMlyC2hIiHGWHg=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
-github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -193,9 +215,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
 github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
@@ -208,49 +229,72 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
-github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+github.com/zclconf/go-cty v1.17.0 h1:seZvECve6XX4tmnvRzWtJNHdscMtYEx5R7bnnVyd/d0=
+github.com/zclconf/go-cty v1.17.0/go.mod h1:wqFzcImaLTI6A5HfsRwB0nj5n0MRZFwmey8YoFPPs3U=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/collector/featuregate v1.58.0 h1:Kh6Dpgbxywv/Q3D6qPehaSxNCxvr/U/ki7CL4y3udCo=
+go.opentelemetry.io/collector/featuregate v1.58.0/go.mod h1:4ga1QBMPEejXXmpyJS8lmaRpknJ3Lb9Bvk6e420bUFU=
+go.opentelemetry.io/collector/internal/testutil v0.152.0 h1:8LGwekR7mLcUDhT1ofLmdnrHRFuUa3U7PBd95ZvJEjQ=
+go.opentelemetry.io/collector/internal/testutil v0.152.0/go.mod h1:Jkjs6rkqs973LqgZ0Fe3zrokQRKULYXPIf4HuqStiEE=
+go.opentelemetry.io/collector/pdata v1.58.0 h1:5Lxut3NxKp87066Pzt+3q7+JUuFI5B3teCyLZIF8wIs=
+go.opentelemetry.io/collector/pdata v1.58.0/go.mod h1:4vZtODINbC/JF3eGocnatdImzbRHseOywIcr+aULjCg=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
+go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
+go.opentelemetry.io/proto/slim/otlp v1.10.0 h1:iR97Vs/ZDR+y9TfuP9b1XBtdPWeC+OMslIBmhcLU7jM=
+go.opentelemetry.io/proto/slim/otlp v1.10.0/go.mod h1:lV9250stpjYLPNA5viFabIgP2QlUGRT1GdTgAf8SIUk=
+go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0 h1:RUF5rO0hAlgiJt1fzQVzcVs3vZVNHIcMLgOgG4rWNcQ=
+go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0/go.mod h1:I89cynRj8y+383o7tEQVg2SVA6SRgDVIouWPUVXjx0U=
+go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0 h1:CQvJSldHRUN6Z8jsUeYv8J0lXRvygALXIzsmAeCcZE0=
+go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0/go.mod h1:xSQ+mEfJe/GjK1LXEyVOoSI1N9JV9ZI923X5kup43W4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -265,35 +309,38 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94 h1:DddG61lE5LkX6144z22i0gma9BMBs5aZ9B8lZLobxyw=
+google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:1dCETSCY2YKZNXQE3h4fun3TYwF5p8jejRKZgfWAgAY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 h1:eZCjr/aAF8c5ccm5pb6T4EXgIei5MlAAPWPJk+5ArfY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
+google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -303,10 +350,9 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 lukechampine.com/frand v1.5.1 h1:fg0eRtdmGFIxhP5zQJzM1lFDbD6CUfu/f+7WgAZd5/w=
 lukechampine.com/frand v1.5.1/go.mod h1:4VstaWc2plN4Mjr10chUD46RAVGWhpkZ5Nja8+Azp0Q=
-pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
-pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/examples/go/main.go
+++ b/examples/go/main.go
@@ -1,9 +1,10 @@
 package main

 import (
-	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
+
+	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 )

 func main() {
--- a/examples/go_test.go
+++ b/examples/go_test.go
@@ -8,8 +8,9 @@ import (
 	"path"
 	"testing"

-	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 )

 func TestGoExample(t *testing.T) {
--- a/examples/hcl/.dockerignore
+++ b/examples/hcl/.dockerignore
@@ -0,0 +1,2 @@
+command-output
+tmp
--- a/examples/hcl/Pulumi.yaml
+++ b/examples/hcl/Pulumi.yaml
@@ -0,0 +1,10 @@
+name: provider-docker-build
+runtime: hcl
+config:
+  dockerHubPassword:
+    type: string
+    secret: true
+plugins:
+  providers:
+    - name: docker-build
+      path: ../../bin
--- a/examples/hcl/app/Dockerfile
+++ b/examples/hcl/app/Dockerfile
@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo 👍
--- a/examples/hcl/app/Dockerfile.buildArgs
+++ b/examples/hcl/app/Dockerfile.buildArgs
@@ -0,0 +1,5 @@
+FROM alpine
+
+ARG SET_ME_TO_TRUE
+RUN [ "$SET_ME_TO_TRUE" = "true" ]
+RUN echo "That's the correct build arg, thanks! 👍"
--- a/examples/hcl/app/Dockerfile.emptyContext
+++ b/examples/hcl/app/Dockerfile.emptyContext
@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo "This image doesn't use any local files, so it doesn't need a context parameter 👍"
--- a/examples/hcl/app/Dockerfile.extraHosts
+++ b/examples/hcl/app/Dockerfile.extraHosts
@@ -0,0 +1,3 @@
+FROM bash AS base
+
+RUN getent hosts metadata.google.internal
--- a/examples/hcl/app/Dockerfile.multiPlatform
+++ b/examples/hcl/app/Dockerfile.multiPlatform
@@ -0,0 +1,7 @@
+FROM --platform=$BUILDPLATFORM alpine as build
+RUN echo ${BUILDPLATFORM} > buildplatform
+RUN echo ${TARGETPLATFORM} > targetplatform
+
+FROM build
+RUN cat buildplatform
+RUN cat targetplatform
--- a/examples/hcl/app/Dockerfile.namedContexts
+++ b/examples/hcl/app/Dockerfile.namedContexts
@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.4
+FROM golang:latest
+
+RUN version="$(go version)" && echo $version && [ "$version" = "go version go1.21.7 linux/amd64" ]
+RUN echo "This image uses named contexts to pin golang:latest to a specific SHA 👍"
--- a/examples/hcl/app/Dockerfile.secrets
+++ b/examples/hcl/app/Dockerfile.secrets
@@ -0,0 +1,4 @@
+FROM alpine
+
+RUN --mount=type=secret,id=password [ "$(cat /run/secrets/password)" = "hunter2" ]
+
--- a/examples/hcl/app/Dockerfile.sshMount
+++ b/examples/hcl/app/Dockerfile.sshMount
@@ -0,0 +1,5 @@
+FROM alpine
+
+RUN apk add openssh-client
+
+RUN --mount=type=ssh ssh-add -l
--- a/examples/hcl/app/Dockerfile.target
+++ b/examples/hcl/app/Dockerfile.target
@@ -0,0 +1,8 @@
+FROM alpine as build-me
+RUN echo 👍
+
+FROM build-me as also-build-me
+RUN echo 🤙
+
+FROM build-me as dont-build-me
+RUN [ "true" = "false" ]
--- a/examples/hcl/program.hcl
+++ b/examples/hcl/program.hcl
@@ -0,0 +1,171 @@
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.1.0-alpha.0+dev"
+    }
+  }
+}
+
+resource "docker-build_image" "multiPlatform" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.multiPlatform"
+  }
+  context = {
+    location = "./app"
+  }
+  platforms = ["plan9/amd64", "plan9/386"]
+}
+resource "docker-build_image" "registryPush" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  tags = ["docker.io/pulumibot/buildkit-e2e:example"]
+  exports {
+    registry = {
+      oci_media_types = true
+      push            = false
+    }
+  }
+  registries {
+    address  = "docker.io"
+    username = "pulumibot"
+    password = var.dockerHubPassword
+  }
+}
+resource "docker-build_image" "cached" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  cache_to {
+    local = {
+      dest = "tmp/cache"
+      mode = "max"
+    }
+  }
+  cache_from {
+    local = {
+      src = "tmp/cache"
+    }
+  }
+}
+resource "docker-build_image" "buildArgs" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.buildArgs"
+  }
+  context = {
+    location = "./app"
+  }
+  build_args = {
+    "SET_ME_TO_TRUE" = "true"
+  }
+}
+resource "docker-build_image" "extraHosts" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.extraHosts"
+  }
+  context = {
+    location = "./app"
+  }
+  add_hosts = ["metadata.google.internal:169.254.169.254"]
+}
+resource "docker-build_image" "sshMount" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.sshMount"
+  }
+  context = {
+    location = "./app"
+  }
+  ssh {
+    id = "default"
+  }
+}
+resource "docker-build_image" "secrets" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.secrets"
+  }
+  context = {
+    location = "./app"
+  }
+  secrets = {
+    "password" = "hunter2"
+  }
+}
+resource "docker-build_image" "labels" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  labels = {
+    "description" = "This image will get a descriptive label 👍"
+  }
+}
+resource "docker-build_image" "target" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.target"
+  }
+  context = {
+    location = "./app"
+  }
+  target = "build-me"
+}
+resource "docker-build_image" "namedContexts" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.namedContexts"
+  }
+  context = {
+    location = "./app"
+    named = {
+      "golang:latest" = {
+        location = "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"
+      }
+    }
+  }
+}
+resource "docker-build_image" "remoteContext" {
+  push = false
+  context = {
+    location = "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"
+  }
+}
+resource "docker-build_image" "remoteContextWithInline" {
+  push = false
+  dockerfile = {
+    inline = "FROM busybox\nCOPY hello.c ./\n"
+  }
+  context = {
+    location = "https://github.com/docker-library/hello-world.git"
+  }
+}
+resource "docker-build_image" "inline" {
+  push = false
+  dockerfile = {
+    inline = "FROM alpine\nRUN echo \"This uses an inline Dockerfile! 👍\"\n"
+  }
+}
+resource "docker-build_image" "dockerLoad" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  exports {
+    docker = {
+      tar = true
+    }
+  }
+}
+variable "dockerHubPassword" {
+  type = string
+}
+output "platforms" {
+  value = docker-build_image.multiPlatform.platforms
+}
--- a/examples/java_test.go
+++ b/examples/java_test.go
@@ -8,8 +8,9 @@ import (
 	"path"
 	"testing"

-	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 )

 func TestJavaExample(t *testing.T) {
--- a/examples/nodejs/package.json
+++ b/examples/nodejs/package.json
@@ -5,6 +5,6 @@
  },
  "dependencies": {
    "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.244.0"
  }
 }
--- a/examples/nodejs_test.go
+++ b/examples/nodejs_test.go
@@ -16,14 +16,15 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
 	"github.com/pulumi/providertest"
 	"github.com/pulumi/providertest/optproviderupgrade"
 	"github.com/pulumi/providertest/pulumitest"
 	"github.com/pulumi/providertest/pulumitest/assertpreview"
 	"github.com/pulumi/providertest/pulumitest/opttest"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 func TestNodeExample(t *testing.T) {
--- a/examples/python_test.go
+++ b/examples/python_test.go
@@ -8,8 +8,9 @@ import (
 	"path"
 	"testing"

-	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 )

 func TestPythonExample(t *testing.T) {
--- a/examples/tests/caching/package.json
+++ b/examples/tests/caching/package.json
@@ -4,6 +4,6 @@
    "@types/node": "^20.0.0"
  },
  "dependencies": {
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.244.0"
  }
 }
--- a/examples/tests/caching/yarn.lock
+++ b/examples/tests/caching/yarn.lock
--- a/examples/tests/config/package.json
+++ b/examples/tests/config/package.json
@@ -4,6 +4,6 @@
    "@types/node": "^20.0.0"
  },
  "dependencies": {
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.244.0"
  }
 }
--- a/examples/tests/ecr/Pulumi.yaml
+++ b/examples/tests/ecr/Pulumi.yaml
@@ -38,3 +38,5 @@ variables:
  auth-token:
    fn::aws:ecr:getAuthorizationToken:
      registryId: ${ecr-repository.registryId}
+config:
+  aws:region: us-west-2
--- a/examples/upgrade-node/package.json
+++ b/examples/upgrade-node/package.json
@@ -5,6 +5,6 @@
  },
  "dependencies": {
    "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.244.0"
  }
 }
--- a/examples/yaml_test.go
+++ b/examples/yaml_test.go
@@ -8,15 +8,17 @@ import (
 	"path"
 	"testing"

+	"github.com/stretchr/testify/require"
+
 	"github.com/pulumi/providertest"
 	"github.com/pulumi/providertest/providers"
 	"github.com/pulumi/providertest/pulumitest"
 	"github.com/pulumi/providertest/pulumitest/assertpreview"
 	"github.com/pulumi/providertest/pulumitest/opttest"
-	"github.com/pulumi/pulumi-docker-build/provider"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
-	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi-docker-build/provider"
 )

 func TestYAMLExample(t *testing.T) {
@@ -33,6 +35,20 @@ func TestYAMLExample(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }

+func TestHCLExample(t *testing.T) {
+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
+	test := integration.ProgramTestOptions{
+		Dir: path.Join(cwd, "hcl"),
+		Secrets: map[string]string{
+			"dockerHubPassword": os.Getenv("DOCKER_HUB_PASSWORD"),
+		},
+	}
+
+	integration.ProgramTest(t, &test)
+}
+
 func TestYAMLExampleUpgrade(t *testing.T) {
 	pt := pulumitest.NewPulumiTest(t, "upgrade",
 		opttest.AttachProviderServer("docker-build", providerServerFactory))
--- a/go.mod
+++ b/go.mod
@@ -1,162 +1,111 @@
 module github.com/pulumi/pulumi-docker-build

-go 1.24.1
+go 1.25.8

 require (
 	github.com/aws/aws-sdk-go v1.55.5
 	github.com/blang/semver v3.5.1+incompatible
+	github.com/containerd/errdefs v1.0.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/buildx v0.22.0
 	github.com/docker/cli v28.0.4+incompatible
 	github.com/docker/docker v28.0.1+incompatible
-	github.com/golangci/golangci-lint v1.59.1
 	github.com/moby/buildkit v0.20.1
 	github.com/moby/patternmatcher v0.6.0
 	github.com/muesli/reflow v0.3.0
 	github.com/otiai10/copy v1.14.0
-	github.com/pulumi/providertest v0.3.1
-	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
-	github.com/pulumi/pulumi-go-provider v1.1.1
-	github.com/pulumi/pulumi-java/pkg v1.16.0
-	github.com/pulumi/pulumi-yaml v1.21.2
-	github.com/pulumi/pulumi/pkg/v3 v3.192.0
-	github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815
-	github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815
-	github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815
-	github.com/pulumi/pulumi/sdk/v3 v3.192.0
+	github.com/pulumi/providertest v0.7.0
+	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.106.2
+	github.com/pulumi/pulumi-go-provider v1.3.2
+	github.com/pulumi/pulumi-java v1.28.0
+	github.com/pulumi/pulumi/pkg/v3 v3.243.0
+	github.com/pulumi/pulumi/sdk/v3 v3.243.0
 	github.com/regclient/regclient v0.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.11.1
 	github.com/tonistiigi/fsutil v0.0.0-20250113203817-b14e27f4135a
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4
-	go.opentelemetry.io/otel/metric v1.36.0
-	go.opentelemetry.io/otel/sdk v1.36.0
-	go.opentelemetry.io/otel/trace v1.36.0
-	go.uber.org/mock v0.5.2
-	golang.org/x/crypto v0.39.0
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
-	google.golang.org/protobuf v1.36.6
+	go.opentelemetry.io/otel/metric v1.43.0
+	go.opentelemetry.io/otel/sdk v1.43.0
+	go.opentelemetry.io/otel/trace v1.43.0
+	go.uber.org/mock v0.6.0
+	golang.org/x/crypto v0.51.0
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
-	4d63.com/gochecknoglobals v0.2.1 // indirect
 	cloud.google.com/go v0.112.1 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	cloud.google.com/go/iam v1.1.6 // indirect
 	cloud.google.com/go/kms v1.15.7 // indirect
 	cloud.google.com/go/logging v1.9.0 // indirect
 	cloud.google.com/go/longrunning v0.5.5 // indirect
 	cloud.google.com/go/storage v1.39.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/4meepo/tagalign v1.3.4 // indirect
-	github.com/Abirdcfly/dupword v0.0.14 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
-	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
-	github.com/Antonboom/errname v0.1.13 // indirect
-	github.com/Antonboom/nilnil v0.1.9 // indirect
-	github.com/Antonboom/testifylint v1.3.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
-	github.com/BurntSushi/toml v1.5.0 // indirect
-	github.com/Crocmagnon/fatcontext v0.2.2 // indirect
-	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
-	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect
 	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/alecthomas/chroma v0.10.0 // indirect
-	github.com/alecthomas/chroma/v2 v2.13.0 // indirect
-	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
-	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
-	github.com/alexkohler/prealloc v1.0.0 // indirect
-	github.com/alingse/asasalint v0.0.11 // indirect
 	github.com/apparentlymart/go-cidr v1.0.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/ashanbrown/forbidigo v1.6.0 // indirect
-	github.com/ashanbrown/makezero v1.1.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
-	github.com/aws/smithy-go v1.20.3 // indirect
+	github.com/aws/smithy-go v1.24.2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/bazelbuild/buildtools v0.0.0-20260211083412-859bfffeef82 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bkielbasa/cyclop v1.2.1 // indirect
-	github.com/blizzy78/varnamelen v0.8.0 // indirect
-	github.com/bombsimon/wsl/v4 v4.2.1 // indirect
-	github.com/breml/bidichk v0.2.7 // indirect
-	github.com/breml/errchkjson v0.3.6 // indirect
-	github.com/butuzov/ireturn v0.3.0 // indirect
-	github.com/butuzov/mirror v1.2.0 // indirect
-	github.com/catenacyber/perfsprint v0.7.1 // indirect
-	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/charithe/durationcheck v0.0.10 // indirect
-	github.com/charmbracelet/bubbles v0.21.0 // indirect
-	github.com/charmbracelet/bubbletea v1.3.4 // indirect
-	github.com/charmbracelet/colorprofile v0.3.0 // indirect
-	github.com/charmbracelet/glamour v0.6.0 // indirect
+	github.com/charmbracelet/bubbles v1.0.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.10 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
-	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/chavacava/garif v0.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.11.7 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
-	github.com/ckaznocha/intrange v0.1.2 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/clipperhouse/displaywidth v0.11.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/compose-spec/compose-go/v2 v2.4.8 // indirect
 	github.com/containerd/console v1.0.4 // indirect
 	github.com/containerd/containerd/api v1.8.0 // indirect
-	github.com/containerd/containerd/v2 v2.0.3 // indirect
+	github.com/containerd/containerd/v2 v2.0.7 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.1 // indirect
 	github.com/containerd/ttrpc v1.2.7 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
-	github.com/curioswitch/go-reassign v0.2.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
-	github.com/daixiang0/gci v0.13.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/deckarep/golang-set/v2 v2.5.0 // indirect
-	github.com/denis-tingaikin/go-header v0.5.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
-	github.com/dlclark/regexp2 v1.11.0 // indirect
 	github.com/docker/cli-docs-tool v0.9.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
@@ -164,78 +113,49 @@ require (
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/edsrzf/mmap-go v1.2.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
-	github.com/erikgeiser/promptkit v0.9.0 // indirect
-	github.com/ettle/strcase v0.2.0 // indirect
-	github.com/fatih/color v1.17.0 // indirect
-	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/firefart/nonamedreturns v1.0.5 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/ghostiam/protogetter v0.3.6 // indirect
-	github.com/go-critic/go-critic v0.11.4 // indirect
+	github.com/git-pkgs/manifests v0.4.1 // indirect
+	github.com/git-pkgs/packageurl-go v0.3.1 // indirect
+	github.com/git-pkgs/purl v0.1.10 // indirect
+	github.com/git-pkgs/vers v0.2.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-git/go-git/v5 v5.16.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
+	github.com/go-git/go-git/v5 v5.19.1 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-toolsmith/astcast v1.1.0 // indirect
-	github.com/go-toolsmith/astcopy v1.1.0 // indirect
-	github.com/go-toolsmith/astequal v1.2.0 // indirect
-	github.com/go-toolsmith/astfmt v1.1.0 // indirect
-	github.com/go-toolsmith/astp v1.1.0 // indirect
-	github.com/go-toolsmith/strparse v1.1.0 // indirect
-	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
-	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
-	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/go-test/deep v1.1.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
-	github.com/golang/glog v1.2.4 // indirect
+	github.com/golang/glog v1.2.5 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
-	github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e // indirect
-	github.com/golangci/misspell v0.6.0 // indirect
-	github.com/golangci/modinfo v0.3.4 // indirect
-	github.com/golangci/plugin-module-register v0.1.1 // indirect
-	github.com/golangci/revgrep v0.5.3 // indirect
-	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
-	github.com/gordonklaus/ineffassign v0.1.0 // indirect
-	github.com/gorilla/css v1.0.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
-	github.com/gostaticanalysis/comment v1.4.2 // indirect
-	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
-	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -246,59 +166,29 @@ require (
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
-	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/hashicorp/go-version v1.9.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/hashicorp/vault/api v1.12.0 // indirect
-	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/iancoleman/strcase v0.3.0 // indirect
-	github.com/ijc/Gotty v0.0.0-20170406111628-a8b993ba6abd // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/iwdgo/sigintwindows v0.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jgautheron/goconst v1.7.1 // indirect
-	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
-	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
-	github.com/jjti/go-spancheck v0.6.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/julz/importas v0.1.0 // indirect
-	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
-	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/kisielk/errcheck v1.7.0 // indirect
-	github.com/kkHAIKE/contextcheck v1.1.5 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
-	github.com/kulti/thelper v0.6.3 // indirect
-	github.com/kunwardeep/paralleltest v1.0.10 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/kyoh86/exportloopref v0.1.11 // indirect
-	github.com/lasiar/canonicalheader v1.1.1 // indirect
-	github.com/ldez/gomoddirectives v0.2.4 // indirect
-	github.com/ldez/tagliatelle v0.5.0 // indirect
-	github.com/leonklingele/grouper v1.1.2 // indirect
-	github.com/lib/pq v1.10.9 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/lufeee/execinquery v1.2.1 // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/macabu/inamedparam v0.1.3 // indirect
-	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/maratori/testableexamples v1.0.0 // indirect
-	github.com/maratori/testpackage v1.1.1 // indirect
-	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.23 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/mgechev/revive v1.3.7 // indirect
-	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
-	github.com/microcosm-cc/bluemonday v1.0.21 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -308,7 +198,6 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/moby v28.3.3+incompatible // indirect
 	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
@@ -317,170 +206,105 @@ require (
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/moricho/tparallel v0.3.1 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/natefinch/atomic v1.0.1 // indirect
-	github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d // indirect
-	github.com/nishanths/exhaustive v0.12.0 // indirect
-	github.com/nishanths/predeclared v0.2.2 // indirect
-	github.com/nunnatsa/ginkgolinter v0.16.2 // indirect
 	github.com/nxadm/tail v1.4.11 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/pgavlin/aho-corasick v0.5.1 // indirect
-	github.com/pgavlin/diff v0.0.0-20230503175810-113847418e2e // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
+	github.com/pgavlin/fx/v2 v2.0.12 // indirect
 	github.com/pgavlin/goldmark v1.1.33-0.20200616210433-b5eb04559386 // indirect
-	github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/polyfloyd/go-errorlint v1.5.2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.17.0 // indirect
+	github.com/pulumi/esc v0.24.0 // indirect
 	github.com/pulumi/inflector v0.2.1 // indirect
-	github.com/quasilyte/go-ruleguard v0.4.2 // indirect
-	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
-	github.com/quasilyte/gogrep v0.5.0 // indirect
-	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
-	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/ryancurrah/gomodguard v1.3.2 // indirect
-	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
-	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
-	github.com/sashamelentyev/usestdlibvars v1.26.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
-	github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/encoding v0.4.1 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b // indirect
-	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/shirou/gopsutil/v3 v3.24.5 // indirect
-	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect
-	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 // indirect
-	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sivchari/tenv v1.7.1 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
-	github.com/sonatard/noctx v0.0.2 // indirect
-	github.com/sourcegraph/appdash-data v0.0.0-20151005221446-73f23eafcf67 // indirect
-	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/spf13/viper v1.12.0 // indirect
-	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
-	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/subosito/gotenv v1.4.1 // indirect
-	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
-	github.com/tdakkota/asciicheck v0.2.0 // indirect
-	github.com/tetafro/godot v1.4.16 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
-	github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect
-	github.com/timonwong/loggercheck v0.9.4 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
-	github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect
-	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
 	github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 // indirect
 	github.com/tonistiigi/jaeger-ui-rest v0.0.0-20250211190051-7d4944a45bb6 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
-	github.com/ulikunitz/xz v0.5.12 // indirect
-	github.com/ultraware/funlen v0.1.0 // indirect
-	github.com/ultraware/whitespace v0.1.1 // indirect
-	github.com/uudashr/gocognit v1.1.2 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xen0n/gosmopolitan v1.2.2 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/yagipy/maintidx v1.0.0 // indirect
-	github.com/yeya24/promlinter v0.3.0 // indirect
-	github.com/ykadowak/zerologlint v0.1.5 // indirect
-	github.com/yuin/goldmark v1.5.2 // indirect
-	github.com/yuin/goldmark-emoji v1.0.1 // indirect
-	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
-	gitlab.com/bosi/decorder v0.4.2 // indirect
-	go-simpler.org/musttag v0.12.2 // indirect
-	go-simpler.org/sloglint v0.7.1 // indirect
+	github.com/zclconf/go-cty v1.17.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/featuregate v1.58.0 // indirect
+	go.opentelemetry.io/collector/pdata v1.58.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/bridge/opentracing v1.33.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
-	go.pennock.tech/tabular v1.1.3 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
 	gocloud.dev v0.37.0 // indirect
 	gocloud.dev/secrets/hashivault v0.37.0 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.169.0 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260522204824-7f3bc5b78da9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260522204824-7f3bc5b78da9 // indirect
+	google.golang.org/grpc v1.81.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	honnef.co/go/tools v0.4.7 // indirect
 	k8s.io/api v0.31.2 // indirect
 	k8s.io/apimachinery v0.31.2 // indirect
 	k8s.io/client-go v0.31.2 // indirect
@@ -488,8 +312,6 @@ require (
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	lukechampine.com/frand v1.5.1 // indirect
-	mvdan.cc/gofumpt v0.6.0 // indirect
-	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
--- a/go.sum
+++ b/go.sum
--- a/provider/cmd/pulumi-resource-docker-build/main.go
+++ b/provider/cmd/pulumi-resource-docker-build/main.go
@@ -16,8 +16,9 @@
 package main

 import (
-	"github.com/pulumi/pulumi-docker-build/provider"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
+
+	"github.com/pulumi/pulumi-docker-build/provider"
 )

 func main() {
--- a/provider/cmd/pulumi-resource-docker-build/schema.json
+++ b/provider/cmd/pulumi-resource-docker-build/schema.json
--- a/provider/internal/cache.go
+++ b/provider/internal/cache.go
@@ -17,6 +17,7 @@ package internal
 import (
 	"errors"
 	"fmt"
+	"os"
 	"strings"

 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -148,33 +149,20 @@ func (c CacheWithOCI) String() string {

 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
-	URL   string `pulumi:"url,optional"`
-	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }

 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
-	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
+	a.Describe(&c, dedent(`
+		Recommended for use with GitHub Actions workflows.
+
+		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
+		appropriate credentials to your GitHub workflow.
+	`))
+
 	a.SetDefault(&c.Scope, "buildkit")

-	a.Describe(&c.URL, dedent(`
-		The cache server URL to use for artifacts.
-
-		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
-		"crazy-max/ghaction-github-runtime" is recommended to expose this
-		environment variable to your jobs.
-	`))
-	a.Describe(&c.Token, dedent(`
-		The GitHub Actions token to use. This is not a personal access tokens
-		and is typically generated automatically as part of each job.
-
-		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
-		"crazy-max/ghaction-github-runtime" is recommended to expose this
-		environment variable to your jobs.
-
-	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".

@@ -191,11 +179,12 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	if c.Token != "" {
-		parts = append(parts, "token="+c.Token)
+	// Preserving backwards compatibility with the old behaviour.
+	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
+		parts = append(parts, "token="+token)
 	}
-	if c.URL != "" {
-		parts = append(parts, "url="+c.URL)
+	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
+		parts = append(parts, "url="+url)
 	}
 	return strings.Join(parts, ",")
 }
@@ -459,7 +448,7 @@ func (c CacheFrom) String() string {
 	return join(c.Local, c.Registry, c.GHA, c.AZBlob, c.S3, c.Raw)
 }

-func (c CacheFrom) validate(preview bool) (*controllerapi.CacheOptionsEntry, error) {
+func (c CacheFrom) validate(_ bool) (*controllerapi.CacheOptionsEntry, error) {
 	if strings.Count(c.String(), "type=") > 1 {
 		return nil, errors.New("cacheFrom should only specify one cache type")
 	}
@@ -683,7 +672,7 @@ func (c CacheTo) String() string {
 	return join(c.Inline, c.Local, c.Registry, c.GHA, c.AZBlob, c.S3, c.Raw)
 }

-func (c CacheTo) validate(preview bool) (*controllerapi.CacheOptionsEntry, error) {
+func (c CacheTo) validate(_ bool) (*controllerapi.CacheOptionsEntry, error) {
 	if strings.Count(c.String(), "type=") > 1 {
 		return nil, errors.New("cacheTo should only specify one cache type")
 	}
--- a/provider/internal/cache_test.go
+++ b/provider/internal/cache_test.go
@@ -24,14 +24,15 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )

+//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
-	t.Parallel()
 	gzip := Gzip

 	tests := []struct {
-		name  string
-		given fmt.Stringer
-		want  string
+		name    string
+		arrange func(t *testing.T)
+		given   fmt.Stringer
+		want    string
 	}{
 		{
 			name: "s3",
@@ -55,7 +56,37 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			want:  "type=gha",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
+			},
+			want: "type=gha",
+		},
+		{
+			name: "gha-default-envs",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
+			},
+			given: CacheTo{GHA: &CacheToGitHubActions{
+				CacheFromGitHubActions: CacheFromGitHubActions{
+					Scope: "scope",
+				},
+			}},
+			want: "type=gha,scope=scope,token=token,url=https://example.com",
+		},
+		{
+			name: "gha-with-scope",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
+			},
+			given: CacheTo{GHA: &CacheToGitHubActions{
+				CacheFromGitHubActions: CacheFromGitHubActions{
+					Scope: "scope",
+				},
+			}},
+			want: "type=gha,scope=scope",
 		},
 		{
 			name:  "from-local",
@@ -121,9 +152,12 @@ func TestCacheString(t *testing.T) {
 		},
 	}

+	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			if tt.arrange != nil {
+				tt.arrange(t)
+			}

 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)
--- a/provider/internal/client.go
+++ b/provider/internal/client.go
@@ -24,6 +24,7 @@ import (
 	"os"
 	"strings"

+	"github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	buildx "github.com/docker/buildx/build"
 	"github.com/docker/buildx/builder"
@@ -339,6 +340,9 @@ func (c *cli) ManifestInspect(ctx context.Context, target string) (string, error
 	}

 	m, err := rc.ManifestHead(ctx, ref)
+	if errors.Is(err, errs.ErrNotFound) {
+		return "", fmt.Errorf("fetching %q: %w", ref, errdefs.ErrNotFound)
+	}
 	if err != nil {
 		return "", fmt.Errorf("fetching %q: %w", ref, err)
 	}
@@ -359,6 +363,9 @@ func (c *cli) ManifestDelete(ctx context.Context, target string) error {
 		provider.GetLogger(ctx).Warning("this registry does not support deletions")
 		return nil
 	}
+	if errors.Is(err, errs.ErrNotFound) {
+		return nil
+	}
 	if err != nil {
 		return err
 	}
--- a/provider/internal/context.go
+++ b/provider/internal/context.go
@@ -170,7 +170,7 @@ func hashFile(
 	if fileMode.IsDir() {
 		return nil
 	}
-	if !(fileMode.IsRegular() || fileMode.Type() == os.ModeSymlink) {
+	if !fileMode.IsRegular() && fileMode.Type() != os.ModeSymlink {
 		return nil
 	}

--- a/provider/internal/embed/image-examples.md
+++ b/provider/internal/embed/image-examples.md
@@ -143,7 +143,7 @@ package main
 import (
 	"fmt"

-	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ecr"
 	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
@@ -241,6 +241,54 @@ variables:
        fn::aws:ecr:getAuthorizationToken:
            registryId: ${ecr-repository.registryId}
 ```
+```hcl
+pulumi {
+  required_providers {
+    aws = {
+      source  = "pulumi/aws"
+      version = "7.29.0"
+    }
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+data "aws_ecr_getauthorizationtoken" "authToken" {
+  registry_id = aws_ecr_repository.ecr-repository.registry_id
+}
+
+resource "aws_ecr_repository" "ecr-repository" {
+}
+resource "docker-build_image" "my-image" {
+  cache_from {
+    registry = {
+      ref ="${aws_ecr_repository.ecr-repository.repository_url}:cache"
+    }
+  }
+  cache_to {
+    registry = {
+      image_manifest  = true
+      oci_media_types = true
+      ref             ="${aws_ecr_repository.ecr-repository.repository_url}:cache"
+    }
+  }
+  context = {
+    location = "./app"
+  }
+  push = true
+  registries {
+    address  = aws_ecr_repository.ecr-repository.repository_url
+    password = data.aws_ecr_getauthorizationtoken.authToken.password
+    username = data.aws_ecr_getauthorizationtoken.authToken.user_name
+  }
+  tags = ["${aws_ecr_repository.ecr-repository.repository_url}:latest"]
+}
+output "ref" {
+  value = docker-build_image.my-image.ref
+}
+```
 ```java
 package generated_program;

@@ -258,8 +306,8 @@ import com.pulumi.dockerbuild.inputs.CacheToArgs;
 import com.pulumi.dockerbuild.inputs.CacheToRegistryArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.RegistryArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -280,14 +328,14 @@ public class App {
        var myImage = new Image("myImage", ImageArgs.builder()
            .cacheFrom(CacheFromArgs.builder()
                .registry(CacheFromRegistryArgs.builder()
-                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:cache", repositoryUrl)))
+                    .ref(ecrRepository.repositoryUrl().applyValue(_repositoryUrl -> String.format("%s:cache", _repositoryUrl)))
                    .build())
                .build())
            .cacheTo(CacheToArgs.builder()
                .registry(CacheToRegistryArgs.builder()
                    .imageManifest(true)
                    .ociMediaTypes(true)
-                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:cache", repositoryUrl)))
+                    .ref(ecrRepository.repositoryUrl().applyValue(_repositoryUrl -> String.format("%s:cache", _repositoryUrl)))
                    .build())
                .build())
            .context(BuildContextArgs.builder()
@@ -296,10 +344,10 @@ public class App {
            .push(true)
            .registries(RegistryArgs.builder()
                .address(ecrRepository.repositoryUrl())
-                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
-                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
+                .password(authToken.applyValue(_authToken -> _authToken.password()))
+                .username(authToken.applyValue(_authToken -> _authToken.userName()))
                .build())
-            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+            .tags(ecrRepository.repositoryUrl().applyValue(_repositoryUrl -> String.format("%s:latest", _repositoryUrl)))
            .build());

        ctx.export("ref", myImage.ref());
@@ -406,6 +454,24 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "app"
+  }
+  platforms = ["plan9/amd64", "plan9/386"]
+  push      = false
+}
+```
 ```java
 package generated_program;

@@ -415,8 +481,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -461,7 +527,7 @@ const image = new docker_build.Image("image", {
    }],
    tags: ["docker.io/pulumi/pulumi:3.107.0"],
 });
-export const ref = myImage.ref;
+export const ref = image.ref;
 ```
 ```python
 import pulumi
@@ -478,7 +544,7 @@ image = docker_build.Image("image",
        "username": "pulumibot",
    }],
    tags=["docker.io/pulumi/pulumi:3.107.0"])
-pulumi.export("ref", my_image["ref"])
+pulumi.export("ref", image.ref)
 ```
 ```csharp
 using System.Collections.Generic;
@@ -512,7 +578,7 @@ return await Deployment.RunAsync(() =>

    return new Dictionary<string, object?>
    {
-        ["ref"] = myImage.Ref,
+        ["ref"] = image.Ref,
    };
 });

@@ -527,7 +593,7 @@ import (

 func main() {
 	pulumi.Run(func(ctx *pulumi.Context) error {
-		_, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
+		image, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
 			Context: &dockerbuild.BuildContextArgs{
 				Location: pulumi.String("app"),
 			},
@@ -546,7 +612,7 @@ func main() {
 		if err != nil {
 			return err
 		}
-		ctx.Export("ref", myImage.Ref)
+		ctx.Export("ref", image.Ref)
 		return nil
 	})
 }
@@ -555,7 +621,7 @@ func main() {
 description: Registry export
 name: registry
 outputs:
-    ref: ${my-image.ref}
+    ref: ${image.ref}
 resources:
    image:
        properties:
@@ -571,6 +637,32 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "app"
+  }
+  push = true
+  registries {
+    address  = "docker.io"
+    password = dockerHubPassword
+    username = "pulumibot"
+  }
+  tags = ["docker.io/pulumi/pulumi:3.107.0"]
+}
+output "ref" {
+  value = docker-build_image.image.ref
+}
+```
 ```java
 package generated_program;

@@ -581,8 +673,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.RegistryArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -607,7 +699,7 @@ public class App {
            .tags("docker.io/pulumi/pulumi:3.107.0")
            .build());

-        ctx.export("ref", myImage.ref());
+        ctx.export("ref", image.ref());
    }
 }
 ```
@@ -756,6 +848,34 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  cache_from {
+    local = {
+      src = "tmp/cache"
+    }
+  }
+  cache_to {
+    local = {
+      dest = "tmp/cache"
+      mode = "max"
+    }
+  }
+  context = {
+    location = "app"
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -769,8 +889,8 @@ import com.pulumi.dockerbuild.inputs.CacheFromLocalArgs;
 import com.pulumi.dockerbuild.inputs.CacheToArgs;
 import com.pulumi.dockerbuild.inputs.CacheToLocalArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -903,6 +1023,27 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  builder = {
+    name = "cloud-builder-name"
+  }
+  context = {
+    location = "app"
+  }
+  exec = true
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -913,8 +1054,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuilderConfigArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1035,6 +1176,26 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  build_args = {
+    "SET_ME_TO_TRUE" = "true"
+  }
+  context = {
+    location = "app"
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -1044,8 +1205,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1153,6 +1314,24 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "app"
+  }
+  push   = false
+  target = "build-me"
+}
+```
 ```java
 package generated_program;

@@ -1162,8 +1341,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1291,6 +1470,28 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "app"
+    named = {
+      "golang:latest" = {
+        location = "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"
+      }
+    }
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -1300,8 +1501,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1316,12 +1517,13 @@ public class App {
        var image = new Image("image", ImageArgs.builder()
            .context(BuildContextArgs.builder()
                .location("app")
-                .named(Map.of("golang:latest", Map.of("location", "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984")))
-                .build())
-            .push(false)
-            .build());
+                .named(Map.of("golang:latest", ContextArgs.builder()
+%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression)))
+                    .build())
+                .push(false)
+                .build());

-    }
+        }
 }
 ```
 {{% /example %}}
@@ -1404,6 +1606,23 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -1413,8 +1632,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1539,6 +1758,26 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "app"
+  }
+  dockerfile = {
+    inline = "FROM busybox\nCOPY hello.c ./\n"
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -1549,8 +1788,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.DockerfileArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1673,6 +1912,26 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "https://github.com/docker-library/hello-world.git"
+  }
+  dockerfile = {
+    location = "app/Dockerfile"
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -1683,8 +1942,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.DockerfileArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1819,6 +2078,28 @@ resources:
        type: docker-build:Image
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "image" {
+  context = {
+    location = "app"
+  }
+  exports {
+    docker = {
+      tar = true
+    }
+  }
+  push = false
+}
+```
 ```java
 package generated_program;

@@ -1830,8 +2111,8 @@ import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.ExportArgs;
 import com.pulumi.dockerbuild.inputs.ExportDockerArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
--- a/provider/internal/embed/index-examples.md
+++ b/provider/internal/embed/index-examples.md
@@ -327,6 +327,60 @@ resources:
        type: docker-build:Index
 runtime: yaml
 ```
+```hcl
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.0.15"
+    }
+  }
+}
+
+resource "docker-build_image" "amd64" {
+  cache_from {
+    registry = {
+      ref = "docker.io/pulumi/pulumi:cache-amd64"
+    }
+  }
+  cache_to {
+    registry = {
+      mode = "max"
+      ref  = "docker.io/pulumi/pulumi:cache-amd64"
+    }
+  }
+  context = {
+    location = "app"
+  }
+  platforms = ["linux/amd64"]
+  tags      = ["docker.io/pulumi/pulumi:3.107.0-amd64"]
+}
+resource "docker-build_image" "arm64" {
+  cache_from {
+    registry = {
+      ref = "docker.io/pulumi/pulumi:cache-arm64"
+    }
+  }
+  cache_to {
+    registry = {
+      mode = "max"
+      ref  = "docker.io/pulumi/pulumi:cache-arm64"
+    }
+  }
+  context = {
+    location = "app"
+  }
+  platforms = ["linux/arm64"]
+  tags      = ["docker.io/pulumi/pulumi:3.107.0-arm64"]
+}
+resource "docker-build_index" "index" {
+  sources = [docker-build_image.amd64.ref, docker-build_image.arm64.ref]
+  tag     = "docker.io/pulumi/pulumi:3.107.0"
+}
+output "ref" {
+  value = docker-build_index.index.ref
+}
+```
 ```java
 package generated_program;

@@ -342,8 +396,8 @@ import com.pulumi.dockerbuild.inputs.CacheToRegistryArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.Index;
 import com.pulumi.dockerbuild.IndexArgs;
-import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
--- a/provider/internal/export.go
+++ b/provider/internal/export.go
@@ -28,6 +28,10 @@ import (
 	"github.com/pulumi/pulumi-go-provider/infer"
 )

+const (
+	trueLiteral = "true"
+)
+
 var (
 	_ fmt.Stringer    = (*Export)(nil)
 	_ fmt.Stringer    = (*ExportDocker)(nil)
@@ -114,7 +118,7 @@ func (e Export) pushed() bool {
 		if err != nil {
 			return false
 		}
-		return exp[0].Attrs["push"] == "true"
+		return exp[0].Attrs["push"] == trueLiteral
 	}
 	if e.Registry != nil {
 		return e.Registry.Push == nil || *e.Registry.Push
@@ -182,7 +186,7 @@ func parseExports(inp []string) ([]*controllerapi.ExportEntry, error) {
 		if out.Type == "registry" {
 			out.Type = client.ExporterImage
 			if _, ok := out.Attrs["push"]; !ok {
-				out.Attrs["push"] = "true"
+				out.Attrs["push"] = trueLiteral
 			}
 		}

--- a/provider/internal/host.go
+++ b/provider/internal/host.go
@@ -43,7 +43,7 @@ type host struct {
 	supportsMultipleExports bool
 }

-func newHost(ctx context.Context, config *Config) (*host, error) {
+func newHost(_ context.Context, config *Config) (*host, error) {
 	docker, err := newDockerCLI(config)
 	if err != nil {
 		return nil, err
@@ -98,13 +98,13 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 	if err != nil && build.ShouldExec() && strings.HasPrefix(opts.Builder, "cloud-") {
 		//nolint:revive // Human-readable.
 		err = errors.Join(err,
-			errors.New("Make sure you're logged in to Docker (`docker login`) if you're trying to use a cloud builder."),
-			errors.New("Make sure you have the correct buildx plugin installed (https://github.com/docker/buildx-desktop)."),
+			errors.New("Make sure you're logged in to Docker (`docker login`) if you're trying to use a cloud builder"),     //nolint:lll,staticcheck
+			errors.New("Make sure you have the correct buildx plugin installed (https://github.com/docker/buildx-desktop)"), //nolint:lll,staticcheck
 		)
 	}
 	if err != nil && build.ShouldExec() {
 		//nolint:revive // Human-readable.
-		err = errors.Join(err, errors.New(
+		err = errors.Join(err, errors.New( //nolint:staticcheck
 			"Make sure your buildx plugin is executable (`docker buildx version`)"),
 		)
 	}
@@ -176,8 +176,8 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 	if err != nil && !build.ShouldExec() {
 		if strings.Contains(err.Error(), "failed to find driver") {
 			//nolint:revive // Human-readable.
-			err = errors.Join(err, errors.New(
-				"Use `exec: true` if you're trying to use Docker Build Cloud or other custom drivers.",
+			err = errors.Join(err, errors.New( //nolint:staticcheck
+				"Use `exec: true` if you're trying to use Docker Build Cloud or other custom drivers",
 			))
 		}
 		return nil, fmt.Errorf("loading nodes: %w", err)
--- a/provider/internal/image.go
+++ b/provider/internal/image.go
@@ -28,9 +28,9 @@ import (
 	_ "github.com/docker/buildx/driver/kubernetes"
 	_ "github.com/docker/buildx/driver/remote"

+	"github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	controllerapi "github.com/docker/buildx/controller/pb"
-	"github.com/docker/docker/errdefs"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/secrets/secretsprovider"
--- a/provider/internal/image_test.go
+++ b/provider/internal/image_test.go
@@ -84,7 +84,7 @@ func TestImageLifecycle(t *testing.T) {
 					Return(nil)
 				return c
 			},
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -130,7 +130,7 @@ func TestImageLifecycle(t *testing.T) {
 		{
 			name:   "tags are required when pushing",
 			client: noClient,
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -159,7 +159,7 @@ func TestImageLifecycle(t *testing.T) {
 		{
 			name:   "invalid exports",
 			client: noClient,
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -192,7 +192,7 @@ func TestImageLifecycle(t *testing.T) {
 				)
 				return c
 			},
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -219,7 +219,7 @@ func TestImageLifecycle(t *testing.T) {
 				)
 				return c
 			},
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -252,7 +252,7 @@ func TestImageLifecycle(t *testing.T) {
 				c.EXPECT().Delete(gomock.Any(), "default-dockerfile").Return(nil)
 				return c
 			},
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -294,7 +294,7 @@ func TestImageLifecycle(t *testing.T) {
 				c.EXPECT().Delete(gomock.Any(), "inline-dockerfile").Return(nil)
 				return c
 			},
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -459,7 +459,7 @@ func TestImageDiff(t *testing.T) {
 				is.Pull = true
 				return is
 			},
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				return ia
 			},
@@ -472,7 +472,7 @@ func TestImageDiff(t *testing.T) {
 				is.Load = true
 				return is
 			},
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				ia.Load = true
 				return ia
@@ -534,7 +534,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if pull changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				return ia
 			},
@@ -543,7 +543,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if load changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.Load = true
 				return ia
 			},
@@ -552,7 +552,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if push changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.Push = true
 				return ia
 			},
@@ -561,7 +561,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if buildOnPreview doesn't change",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				val := true
 				ia.BuildOnPreview = &val
 				return ia
@@ -571,7 +571,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if buildOnPreview changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				val := false
 				ia.BuildOnPreview = &val
 				return ia
@@ -581,7 +581,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if ssh changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.SSH = []SSH{{ID: "default"}}
 				return ia
 			},
@@ -590,7 +590,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if hosts change",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
 				ia.AddHosts = []string{"localhost"}
 				return ia
 			},
@@ -751,7 +751,7 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if local export doesn't exist",
-			state: func(t *testing.T, state ImageState) ImageState {
+			state: func(_ *testing.T, state ImageState) ImageState {
 				state.Exports = []Export{
 					{Local: &ExportLocal{Dest: "not-real"}},
 				}
@@ -767,7 +767,7 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if tar export doesn't exist",
-			state: func(t *testing.T, state ImageState) ImageState {
+			state: func(_ *testing.T, state ImageState) ImageState {
 				state.Exports = []Export{
 					{Tar: &ExportTar{ExportLocal: ExportLocal{Dest: "not-real"}}},
 				}
@@ -917,8 +917,10 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":     "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
+					"ACTIONS_CACHE_URL":        "test-cache-url",
+					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
+					"ACTIONS_RESULTS_URL":      "test-results-url",
+					"ACTIONS_CACHE_SERVICE_V2": "true",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -930,15 +932,17 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
-						"url":   "test-cache-url",
+						"token":  "test-runtime-token",
+						"url":    "test-cache-url",
+						"url_v2": "test-results-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
-						"url":   "test-cache-url",
+						"token":  "test-runtime-token",
+						"url":    "test-cache-url",
+						"url_v2": "test-results-url",
 					},
 				},
 			},
--- a/provider/internal/index.go
+++ b/provider/internal/index.go
@@ -19,11 +19,11 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
-	"strings"

 	// For examples/docs.
 	_ "embed"

+	"github.com/containerd/errdefs"
 	"github.com/regclient/regclient/types/errs"

 	provider "github.com/pulumi/pulumi-go-provider"
@@ -223,7 +223,7 @@ func (i *Index) Read(
 	provider.GetLogger(ctx).Debug("reading index with tag " + input.Tag)

 	digest, err := cli.ManifestInspect(ctx, input.Tag)
-	if errors.Is(err, errs.ErrNotFound) {
+	if errdefs.IsNotFound(err) {
 		// A remote tag was expected but isn't there -- delete the resource.
 		return infer.ReadResponse[IndexArgs, IndexState]{ID: "", Inputs: input, State: state}, nil
 	}
@@ -304,9 +304,7 @@ func (i *Index) Delete(
 	}

 	err = cli.ManifestDelete(ctx, state.Ref)
-	// TODO: Upstream buildx swallows the error types we'd like to test for
-	// here.
-	if err != nil && strings.Contains(err.Error(), "No such manifest:") {
+	if errdefs.IsNotFound(err) {
 		return infer.DeleteResponse{}, nil
 	}
 	return infer.DeleteResponse{}, err
--- a/provider/internal/index_test.go
+++ b/provider/internal/index_test.go
@@ -24,6 +24,7 @@ import (
 	"go.uber.org/mock/gomock"

 	provider "github.com/pulumi/pulumi-go-provider"
+	"github.com/pulumi/pulumi-go-provider/infer"
 	"github.com/pulumi/pulumi-go-provider/integration"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/mapper"
@@ -32,7 +33,7 @@ import (

 func TestIndexLifecycle(t *testing.T) {
 	t.Parallel()
-	realClient := func(t *testing.T) clientF { return RealClientF }
+	realClient := func(_ *testing.T) clientF { return RealClientF }

 	tests := []struct {
 		name string
@@ -44,7 +45,7 @@ func TestIndexLifecycle(t *testing.T) {
 		{
 			name:   "not pushed",
 			client: realClient,
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"tag": property.New(
@@ -63,7 +64,7 @@ func TestIndexLifecycle(t *testing.T) {
 			name:   "pushed",
 			skip:   os.Getenv("DOCKER_HUB_PASSWORD") == "",
 			client: realClient,
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"tag": property.New(
@@ -85,7 +86,7 @@ func TestIndexLifecycle(t *testing.T) {
 		},
 		{
 			name: "expired credentials",
-			client: func(t *testing.T) clientF {
+			client: func(_ *testing.T) clientF {
 				ctrl := gomock.NewController(t)
 				c := NewMockClient(ctrl)
 				c.EXPECT().ManifestCreate(gomock.Any(), true, gomock.Any(), gomock.Any())
@@ -93,7 +94,7 @@ func TestIndexLifecycle(t *testing.T) {
 				c.EXPECT().ManifestDelete(gomock.Any(), gomock.Any()).Return(nil)
 				return mockClientF(c)
 			},
-			op: func(t *testing.T) integration.Operation {
+			op: func(_ *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"tag": property.New(
@@ -157,7 +158,7 @@ func TestIndexDiff(t *testing.T) {
 		{
 			name:  "diff if tag changes",
 			state: func(*testing.T, IndexState) IndexState { return baseState },
-			inputs: func(t *testing.T, a IndexArgs) IndexArgs {
+			inputs: func(_ *testing.T, a IndexArgs) IndexArgs {
 				a.Tag = "new-tag"
 				return a
 			},
@@ -235,3 +236,26 @@ func TestIndexDiff(t *testing.T) {
 		})
 	}
 }
+
+func TestIndexDelete(t *testing.T) {
+	t.Parallel()
+	t.Run("manifest already deleted (404)", func(t *testing.T) {
+		t.Parallel()
+		ctrl := gomock.NewController(t)
+		client := NewMockClient(ctrl)
+		client.EXPECT().
+			ManifestDelete(gomock.Any(), "docker.io/pulumi/test:manifest").
+			Return(errNotFound{})
+
+		i := &Index{clientF: mockClientF(client)}
+
+		_, err := i.Delete(t.Context(), infer.DeleteRequest[IndexState]{
+			ID: "foo",
+			State: IndexState{
+				IndexArgs: IndexArgs{Tag: "docker.io/pulumi/test:manifest"},
+				Ref:       "docker.io/pulumi/test:manifest",
+			},
+		})
+		assert.NoError(t, err)
+	})
+}
--- a/provider/internal/provider.go
+++ b/provider/internal/provider.go
@@ -18,11 +18,11 @@ import (
 	"context"
 	"fmt"

+	csgen "github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3/codegen"
 	provider "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi-go-provider/infer"
 	pschema "github.com/pulumi/pulumi-go-provider/middleware/schema"
 	"github.com/pulumi/pulumi-java/pkg/codegen/java"
-	csgen "github.com/pulumi/pulumi/pkg/v3/codegen/dotnet"
 	gogen "github.com/pulumi/pulumi/pkg/v3/codegen/go"
 	tsgen "github.com/pulumi/pulumi/pkg/v3/codegen/nodejs"
 	pygen "github.com/pulumi/pulumi/pkg/v3/codegen/python"
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -15,10 +15,11 @@
 package provider

 import (
-	"github.com/pulumi/pulumi-docker-build/provider/internal"
 	gp "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
 	rpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
+
+	"github.com/pulumi/pulumi-docker-build/provider/internal"
 )

 // Version is initialized by the Go linker to contain the semver of this build.
--- a/scripts/get-versions.sh
+++ b/scripts/get-versions.sh
@@ -34,8 +34,8 @@ if [[ -z "${raw_version:-}" ]]; then
  exit 1
 fi

-echo "MISE_PULUMI_VERSION=$raw_version"
-export MISE_PULUMI_VERSION=$raw_version
+echo "PULUMI_VERSION_MISE=$raw_version"
+export PULUMI_VERSION_MISE=$raw_version

 # Prefer the toolchain directive if present, otherwise fall back to the `go` version line
 go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
@@ -51,5 +51,5 @@ if [[ -z "${go_version:-}" ]]; then
  exit 1
 fi

-echo "MISE_GO_VERSION=$go_version"
-export MISE_GO_VERSION=$go_version
+echo "GO_VERSION_MISE=$go_version"
+export GO_VERSION_MISE=$go_version
--- a/sdk/dotnet/.gitattributes
+++ b/sdk/dotnet/.gitattributes
@@ -0,0 +1 @@
+* linguist-generated
--- a/sdk/dotnet/.gitignore
+++ b/sdk/dotnet/.gitignore
@@ -0,0 +1,2 @@
+bin
+obj
--- a/sdk/dotnet/Image.cs
+++ b/sdk/dotnet/Image.cs
@@ -240,7 +240,7 @@ namespace Pulumi.DockerBuild
    /// 
    ///     return new Dictionary&lt;string, object?&gt;
    ///     {
-    ///         ["ref"] = myImage.Ref,
+    ///         ["ref"] = image.Ref,
    ///     };
    /// });
    /// 
--- a/sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs
+++ b/sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {

+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
    public sealed class CacheFromGitHubActionsArgs : global::Pulumi.ResourceArgs
    {
        /// <summary>
@@ -21,42 +27,9 @@ namespace Pulumi.DockerBuild.Inputs
        [Input("scope")]
        public Input<string>? Scope { get; set; }

-        [Input("token")]
-        private Input<string>? _token;
-
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public Input<string>? Token
-        {
-            get => _token;
-            set
-            {
-                var emptySecret = Output.CreateSecret(0);
-                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
-            }
-        }
-
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        [Input("url")]
-        public Input<string>? Url { get; set; }
-
        public CacheFromGitHubActionsArgs()
        {
            Scope = "buildkit";
-            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
-            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
        }
        public static new CacheFromGitHubActionsArgs Empty => new CacheFromGitHubActionsArgs();
    }
--- a/sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs
+++ b/sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {

+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
    public sealed class CacheToGitHubActionsArgs : global::Pulumi.ResourceArgs
    {
        /// <summary>
@@ -33,44 +39,11 @@ namespace Pulumi.DockerBuild.Inputs
        [Input("scope")]
        public Input<string>? Scope { get; set; }

-        [Input("token")]
-        private Input<string>? _token;
-
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public Input<string>? Token
-        {
-            get => _token;
-            set
-            {
-                var emptySecret = Output.CreateSecret(0);
-                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
-            }
-        }
-
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        [Input("url")]
-        public Input<string>? Url { get; set; }
-
        public CacheToGitHubActionsArgs()
        {
            IgnoreError = false;
            Mode = Pulumi.DockerBuild.CacheMode.Min;
            Scope = "buildkit";
-            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
-            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
        }
        public static new CacheToGitHubActionsArgs Empty => new CacheToGitHubActionsArgs();
    }
--- a/sdk/dotnet/Outputs/CacheFromGitHubActions.cs
+++ b/sdk/dotnet/Outputs/CacheFromGitHubActions.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {

+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
    [OutputType]
    public sealed class CacheFromGitHubActions
    {
@@ -20,35 +26,11 @@ namespace Pulumi.DockerBuild.Outputs
        /// workflow, otherwise caches will overwrite each other.
        /// </summary>
        public readonly string? Scope;
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Token;
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Url;

        [OutputConstructor]
-        private CacheFromGitHubActions(
-            string? scope,
-
-            string? token,
-
-            string? url)
+        private CacheFromGitHubActions(string? scope)
        {
            Scope = scope;
-            Token = token;
-            Url = url;
        }
    }
 }
--- a/sdk/dotnet/Outputs/CacheToGitHubActions.cs
+++ b/sdk/dotnet/Outputs/CacheToGitHubActions.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {

+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
    [OutputType]
    public sealed class CacheToGitHubActions
    {
@@ -28,23 +34,6 @@ namespace Pulumi.DockerBuild.Outputs
        /// workflow, otherwise caches will overwrite each other.
        /// </summary>
        public readonly string? Scope;
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Token;
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Url;

        [OutputConstructor]
        private CacheToGitHubActions(
@@ -52,17 +41,11 @@ namespace Pulumi.DockerBuild.Outputs

            Pulumi.DockerBuild.CacheMode? mode,

-            string? scope,
-
-            string? token,
-
-            string? url)
+            string? scope)
        {
            IgnoreError = ignoreError;
            Mode = mode;
            Scope = scope;
-            Token = token;
-            Url = url;
        }
    }
 }
--- a/sdk/go/.gitattributes
+++ b/sdk/go/.gitattributes
@@ -0,0 +1 @@
+* linguist-generated
--- a/sdk/go/dockerbuild/go.mod
+++ b/sdk/go/dockerbuild/go.mod
@@ -1,102 +1,124 @@
 module github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild

-go 1.24.1
+go 1.25.8

 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/pulumi/pulumi/sdk/v3 v3.192.0
+	github.com/pulumi/pulumi/sdk/v3 v3.243.0
 )

 require (
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/charmbracelet/bubbles v0.21.0 // indirect
-	github.com/charmbracelet/bubbletea v1.3.4 // indirect
-	github.com/charmbracelet/colorprofile v0.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charmbracelet/bubbles v1.0.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.10 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
-	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/charmbracelet/x/ansi v0.11.7 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
-	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/clipperhouse/displaywidth v0.11.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
-	github.com/fatih/color v1.17.0 // indirect
-	github.com/frankban/quicktest v1.14.6 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-git/go-git/v5 v5.16.0 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
+	github.com/go-git/go-git/v5 v5.19.1 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.2.4 // indirect
+	github.com/golang/glog v1.2.5 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
+	github.com/hashicorp/go-version v1.9.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.23 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pgavlin/fx/v2 v2.0.12 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.17.0 // indirect
+	github.com/pulumi/esc v0.24.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	github.com/zclconf/go-cty v1.17.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/featuregate v1.58.0 // indirect
+	go.opentelemetry.io/collector/pdata v1.58.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260522204824-7f3bc5b78da9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260522204824-7f3bc5b78da9 // indirect
+	google.golang.org/grpc v1.81.1 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/frand v1.5.1 // indirect
-	pgregory.net/rapid v1.1.0 // indirect
 )
--- a/sdk/go/dockerbuild/go.sum
+++ b/sdk/go/dockerbuild/go.sum
@@ -1,7 +1,7 @@
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
-github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
+github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -23,28 +23,35 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
-github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
-github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
-github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
-github.com/charmbracelet/colorprofile v0.3.0 h1:KtLh9uuu1RCt+Hml4s6Hz+kB1PfV3wi++1h5ia65yKQ=
-github.com/charmbracelet/colorprofile v0.3.0/go.mod h1:oHJ340RS2nmG1zRGPmhJKJ/jf4FPNNk0P39/wBPA1G0=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/charmbracelet/bubbles v1.0.0 h1:12J8/ak/uCZEMQ6KU7pcfwceyjLlWsDLAxB5fXonfvc=
+github.com/charmbracelet/bubbles v1.0.0/go.mod h1:9d/Zd5GdnauMI5ivUIVisuEm3ave1XwXtD1ckyV6r3E=
+github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
+github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
-github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
-github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
-github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
-github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
-github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
-github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI=
+github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ=
+github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI=
+github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q=
+github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
+github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
 github.com/cheggaaa/pb v1.0.29 h1:FckUN5ngEk2LpvuG0fw1GEFx6LtyY2pWI/Z2QgCnEYo=
 github.com/cheggaaa/pb v1.0.29/go.mod h1:W40334L7FMC5JKWldsTWbdGjLo0RxUKK73K+TuPxX30=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
+github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
-github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -58,38 +65,41 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
-github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
-github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
-github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
-github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ=
-github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
+github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
-github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
+github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 h1:5VipnvEpbqr2gA2VbM+nYVbkIF28c5ZQfqCBQ5g2xfk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0/go.mod h1:Hyl3n6Twe1hvtd9XUXDec4pTvgMSEixRuQKPTMH2bNs=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -97,17 +107,25 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
-github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
+github.com/hashicorp/go-version v1.9.0 h1:CeOIz6k+LoN3qX9Z0tyQrPtiB1DFYRPfCIBtaXPSCnA=
+github.com/hashicorp/go-version v1.9.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
+github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -115,24 +133,30 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
-github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4=
+github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw=
+github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
@@ -148,11 +172,10 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
 github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
-github.com/pgavlin/fx/v2 v2.0.3 h1:ZBVklTFjxcWvBVPE+ti5qwnmTIQ0Gq6nuj3J5RKDtKk=
-github.com/pgavlin/fx/v2 v2.0.3/go.mod h1:Cvnwqq0BopdHUJ7CU50h1XPeKrF4ZwdFj1nJLXbAjCE=
-github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
-github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pgavlin/fx/v2 v2.0.12 h1:SjjaJ68Dt8Z4zHwOpY/RPijd7lShs6xYupJbF9ra00M=
+github.com/pgavlin/fx/v2 v2.0.12/go.mod h1:M/nF/ooAOy+NUBooYYXl2REARzJ/giPJxfMs8fINfKc=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
@@ -162,32 +185,29 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
-github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
-github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/pulumi/esc v0.24.0 h1:sCtiB0qbyrlU1ZNzJn4dTLYiChl8xeCBFbHWl1YoXJg=
+github.com/pulumi/esc v0.24.0/go.mod h1:eCOOkcDJS6eooGwdE4/E0+pOsvUWG254+KBmPCFwJpA=
+github.com/pulumi/pulumi/sdk/v3 v3.243.0 h1:pZaMx58nXrdh4XB0cgTlHnL3EMy3/JQwuin3aDuWyRM=
+github.com/pulumi/pulumi/sdk/v3 v3.243.0/go.mod h1:BPWWuYPXcPH5YbXGoyy9Rrfa+evrh6IdM51AjDhcDpM=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
-github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
-github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -195,9 +215,8 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
 github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
@@ -210,49 +229,72 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=
-github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+github.com/zclconf/go-cty v1.17.0 h1:seZvECve6XX4tmnvRzWtJNHdscMtYEx5R7bnnVyd/d0=
+github.com/zclconf/go-cty v1.17.0/go.mod h1:wqFzcImaLTI6A5HfsRwB0nj5n0MRZFwmey8YoFPPs3U=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/collector/featuregate v1.58.0 h1:Kh6Dpgbxywv/Q3D6qPehaSxNCxvr/U/ki7CL4y3udCo=
+go.opentelemetry.io/collector/featuregate v1.58.0/go.mod h1:4ga1QBMPEejXXmpyJS8lmaRpknJ3Lb9Bvk6e420bUFU=
+go.opentelemetry.io/collector/internal/testutil v0.152.0 h1:8LGwekR7mLcUDhT1ofLmdnrHRFuUa3U7PBd95ZvJEjQ=
+go.opentelemetry.io/collector/internal/testutil v0.152.0/go.mod h1:Jkjs6rkqs973LqgZ0Fe3zrokQRKULYXPIf4HuqStiEE=
+go.opentelemetry.io/collector/pdata v1.58.0 h1:5Lxut3NxKp87066Pzt+3q7+JUuFI5B3teCyLZIF8wIs=
+go.opentelemetry.io/collector/pdata v1.58.0/go.mod h1:4vZtODINbC/JF3eGocnatdImzbRHseOywIcr+aULjCg=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
+go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
+go.opentelemetry.io/proto/slim/otlp v1.10.0 h1:iR97Vs/ZDR+y9TfuP9b1XBtdPWeC+OMslIBmhcLU7jM=
+go.opentelemetry.io/proto/slim/otlp v1.10.0/go.mod h1:lV9250stpjYLPNA5viFabIgP2QlUGRT1GdTgAf8SIUk=
+go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0 h1:RUF5rO0hAlgiJt1fzQVzcVs3vZVNHIcMLgOgG4rWNcQ=
+go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0/go.mod h1:I89cynRj8y+383o7tEQVg2SVA6SRgDVIouWPUVXjx0U=
+go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0 h1:CQvJSldHRUN6Z8jsUeYv8J0lXRvygALXIzsmAeCcZE0=
+go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0/go.mod h1:xSQ+mEfJe/GjK1LXEyVOoSI1N9JV9ZI923X5kup43W4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -267,35 +309,38 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/api v0.0.0-20260522204824-7f3bc5b78da9 h1:dlKupvNsf7YXJYxduemxBzqGX8zjzedsttskfjgLIO8=
+google.golang.org/genproto/googleapis/api v0.0.0-20260522204824-7f3bc5b78da9/go.mod h1:1dCETSCY2YKZNXQE3h4fun3TYwF5p8jejRKZgfWAgAY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260522204824-7f3bc5b78da9 h1:UScUq4IhqF8ll85bMGS/l0D+iGzwQXpX5RBYQEwjahU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260522204824-7f3bc5b78da9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
+google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -305,10 +350,9 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 lukechampine.com/frand v1.5.1 h1:fg0eRtdmGFIxhP5zQJzM1lFDbD6CUfu/f+7WgAZd5/w=
 lukechampine.com/frand v1.5.1/go.mod h1:4VstaWc2plN4Mjr10chUD46RAVGWhpkZ5Nja8+Azp0Q=
-pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
-pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/sdk/go/dockerbuild/image.go
+++ b/sdk/go/dockerbuild/image.go
@@ -124,7 +124,7 @@ import (
 //
 //	"fmt"
 //
-//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+//	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ecr"
 //	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 //	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
@@ -234,7 +234,7 @@ import (
 //
 //	func main() {
 //		pulumi.Run(func(ctx *pulumi.Context) error {
-//			_, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
+//			image, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
 //				Context: &dockerbuild.BuildContextArgs{
 //					Location: pulumi.String("app"),
 //				},
@@ -253,7 +253,7 @@ import (
 //			if err != nil {
 //				return err
 //			}
-//			ctx.Export("ref", myImage.Ref)
+//			ctx.Export("ref", image.Ref)
 //			return nil
 //		})
 //	}
--- a/sdk/go/dockerbuild/pulumiTypes.go
+++ b/sdk/go/dockerbuild/pulumiTypes.go
@@ -834,25 +834,16 @@ func (o CacheFromAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -865,18 +856,6 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }

@@ -891,25 +870,16 @@ type CacheFromGitHubActionsInput interface {
 	ToCacheFromGitHubActionsOutputWithContext(context.Context) CacheFromGitHubActionsOutput
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumi.StringPtrInput `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumi.StringPtrInput `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -921,16 +891,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumi.StringPtr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumi.StringPtr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -998,6 +958,10 @@ func (i *cacheFromGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Ou
 	}
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }

 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -1036,25 +1000,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }

-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
-}
-
 type CacheFromGitHubActionsPtrOutput struct{ *pulumi.OutputState }

 func (CacheFromGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -1098,35 +1043,6 @@ func (o CacheFromGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }

-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Token
-	}).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Url
-	}).(pulumi.StringPtrOutput)
-}
-
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -2361,6 +2277,10 @@ func (o CacheToAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -2371,19 +2291,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -2404,18 +2311,6 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }

@@ -2430,6 +2325,10 @@ type CacheToGitHubActionsInput interface {
 	ToCacheToGitHubActionsOutputWithContext(context.Context) CacheToGitHubActionsOutput
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumi.BoolPtrInput `pulumi:"ignoreError"`
@@ -2440,19 +2339,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumi.StringPtrInput `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumi.StringPtrInput `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -2470,16 +2356,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumi.StringPtr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumi.StringPtr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -2547,6 +2423,10 @@ func (i *cacheToGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Outp
 	}
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }

 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -2595,25 +2475,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }

-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
-}
-
 type CacheToGitHubActionsPtrOutput struct{ *pulumi.OutputState }

 func (CacheToGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -2677,35 +2538,6 @@ func (o CacheToGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }

-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheToGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Token
-	}).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheToGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Url
-	}).(pulumi.StringPtrOutput)
-}
-
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }
--- a/sdk/go/dockerbuild/x/image.go
+++ b/sdk/go/dockerbuild/x/image.go
@@ -124,7 +124,7 @@ import (
 //
 //	"fmt"
 //
-//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+//	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ecr"
 //	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 //	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 //
@@ -234,7 +234,7 @@ import (
 //
 //	func main() {
 //		pulumi.Run(func(ctx *pulumi.Context) error {
-//			_, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
+//			image, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
 //				Context: &dockerbuild.BuildContextArgs{
 //					Location: pulumi.String("app"),
 //				},
@@ -253,7 +253,7 @@ import (
 //			if err != nil {
 //				return err
 //			}
-//			ctx.Export("ref", myImage.Ref)
+//			ctx.Export("ref", image.Ref)
 //			return nil
 //		})
 //	}
--- a/sdk/go/dockerbuild/x/pulumiTypes.go
+++ b/sdk/go/dockerbuild/x/pulumiTypes.go
@@ -393,25 +393,16 @@ func (o CacheFromAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromAzureBlob](o, func(v CacheFromAzureBlob) *string { return v.SecretAccessKey })
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -424,40 +415,19 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumix.Input[*string] `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumix.Input[*string] `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -469,16 +439,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumix.Ptr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumix.Ptr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -497,6 +457,10 @@ func (i *CacheFromGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Outpu
 	return pulumix.Val(i)
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }

 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -525,25 +489,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Scope })
 }

-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Token() pulumix.Output[*string] {
-	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Token })
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Url() pulumix.Output[*string] {
-	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Url })
-}
-
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -1134,6 +1079,10 @@ func (o CacheToAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToAzureBlob](o, func(v CacheToAzureBlob) *string { return v.SecretAccessKey })
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -1144,19 +1093,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -1177,21 +1113,13 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumix.Input[*bool] `pulumi:"ignoreError"`
@@ -1202,19 +1130,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumix.Input[*string] `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumix.Input[*string] `pulumi:"url"`
 }

 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -1232,16 +1147,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumix.Ptr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumix.Ptr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -1260,6 +1165,10 @@ func (i *CacheToGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Output[
 	return pulumix.Val(i)
 }

+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }

 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -1298,25 +1207,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Scope })
 }

-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Token() pulumix.Output[*string] {
-	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Token })
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Url() pulumix.Output[*string] {
-	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Url })
-}
-
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .192.0
 .239.0